Here are two options:
First
If you want what’s between the GET and HTTP, this will do it:
| rex field=_raw "GET\s+(?<fname>\S+)\s+HTTP"
Start at the string literal GET, go one (or more) whitespaces, then put everything that’s not a whitespace character (up until a whitespace sequence that ends in the string literal HTTP) into the new field fname.
Functionally, you can leave off the \s+HTTP from the regex, but for fullness’ sake, you may want to choose to leave it in there.
Second
If you only want the ending filename, this is it:
| rex field=_raw "(?<fname>[\.\-\w]+)\s+HTTP"
This will match all instances of ., -, and any word character (\w) as many times as they are found before a sequence of whitespace characters (\s+) followed by the string literal HTTP into the new field fname.
Or, optionally (though more steps to find the match, it might be better in your case):
| rex field=_raw "(?<fname>[^\/]+)\s+HTTP"
This one will match anything that is not a front slash (/) up to the series of whitespaces followed by HTTP all into the new field fname.
from User warren – Stack Overflow https://stackoverflow.com/questions/64017500/extract-filename-out-of-raw-data-using-regex/64031109#64031109
via IFTTT