Thank you,
This one works: rex "[\/(?P[^]]*)]"

But how can I export one csv file that contains only this path?

index=main| rex "[(?P[^]]*)]" | outputlookup users.csv , but in the csv file I would like have only the rex field

Insert a fields command before the outputlookup. Only the fields listed in the command will be written to the CSV.

yeah, but with fields command I have to tell to splunk the name of the rex field...

index=main| rex "[(?P[^]]*)]" | fields name rex field outputlookup users.csv

So give it a name.

index=main| rex "\[(?P<path>[^\]]*)\]" | fields path | outputlookup users.csv 

seems works! And last question, how I can add it at my query in the framework?

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[^*]' | fields path | outputlookup read_rules.csv")

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex "[^*]" | fields path | outputlookup read_rules.csv")

I cannot use these ways

I'm not familiar with the framework. Why can you not use those ways?

No your query is perfect, but I have need to use it in the framework : ~)

What framework are you referring to?

splunk framework

Federica, looking at your framework question, the reason those won't work is because you're not creating the field.

For your reference, it'll benefit you in the long term.

rex "\[(?P<path>[^\]]*)\]"

The < path > part of the rex, creates the field called path

Using the example you supplied, this is missing.

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[[^*](?.+)]' | fields path | outputlookup read_rules.csv")

Try:

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '\[(?P<path>[^\]]*)\]' | fields path | outputlookup read_rules.csv")

Credit to @richgalloway for the rex statement.