I would do this in a couple distinct steps:
| rex field=_raw ":\s+error_code\W+(?<full_path>[^,]+),(?<line>[^)]+)\W+(?<test_path>.+)"
Followed by:
| rex field=full_path "(?<filename>\w+)$"
Followed by:
| rex field=test_path "(?<testname>[^\.]+)$"
Presuming, of course, there are no dots in the “testname” – this will work 🙂
from User warren – Stack Overflow https://stackoverflow.com/questions/62281287/how-to-extract-contents-after-the-last-slash-in-fields-in-splunk/62282465#62282465
via IFTTT