This regular expression will match the last part of the URL that ends with (case-insensitive) "exe", and that ends the string:
| rex field=URL_Field "\/(?<exename>[^\/]+[eExXeE]{3})$"
THe format is this: start with a front slash, then match everything that’s not a front slash that ends with "exe","EXE", etc, and that is at the end of the string in question
As you mentioned in a comment to another answer, using split() can also be a good option (sometimes it’s faster to break a URL with split() … so long as you know which element in the multivalue field you need
from User warren – Stack Overflow https://stackoverflow.com/questions/73170217/parsing-last-part-of-url-in-splunk/73195821#73195821
via IFTTT