Go simple – regular expressions are all well and good, but split() is much easier (and, very often, much faster):
index=ndx sourcetype=srctp url=*
| eval url=split(URL,"/")
| eval lastpart=mvindex(url,-1)
This splits the field url into a multivalue field using the forward slash (‘/‘) as the delimiter
Then select the last entry using mvindex and the index of -1, which is always the last entry
from User warren – Stack Overflow https://stackoverflow.com/questions/60551904/capture-last-element-either-between-or-after-and-before/75302068#75302068
via IFTTT