I almost always use multiple rex statement to get what I want … but if you "know" the data is consistent, this will work (tried on regex101.com):
| rex field=_raw (?<classname>[^\/]+)\/(?<featurename>[^\.]+)\.[[:punct:]]+(?<project>[\w].+)
What this regular expression does:
<classname>:: everything from the front of the event to a front slash (/)<featurename>:: whatever follows the front slash (/) until a literal dot (.)- discard all found punctuation
<project>:: whatever is left on the line
According to regex101.com, this is likely the most efficient rex you can use (14 steps total)
from User warren – Stack Overflow https://stackoverflow.com/questions/68169998/splunk-split-a-field-into-multiple-fields-based-on-delimiters/68170164#68170164
via IFTTT