There is a similar article here that should get you on your way using regex. I would extract the file name off the end and perhaps have nine following regex commands using the progressively smaller parts of the previous finds. Eventually you will find nothing so the resulting set_field() function won’t actually create a field. There are a bunch of posts outside of Graylog for finding filenames and paths too (like here) that might be helpful. Note in the first post how it references first found with regex with ["0"]
set_field("file_name", to_string(file_name["0"]));
You can test out regex here
Also note that regex in the pipeline needs to double the escapes and time you are escaping something.
Lastly - post up your solution or if its not quite working post up the code and we’ll see what we can help with! 
Epilogue: Highlight any code/logs using the </> forum tool to make it readable so you aren’t missing things that way instead of the difficult and missing stuff formatting in:
([^/:*?"<>|\r\n])+$
you get something easier to read:
([^\/:*?"<>|\r\n])+$