https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454521#M55914 <P>Hi Everyone,<BR /> We are using the SEP 14.2.1 (14.2 RU1 MP1) build 4815 (14.2.4815.1101)<BR /> Installed the last Symantec Add-On, and since the Risk were not correctly tagged, I have modified the regex like this :</P> <P>(you can put it on local/transforms.conf)</P> <PRE><CODE>[field_extraction_for_agt_risk] ### Modified Regex, removed unknown tag that brokes the regex, and moved certificates tags to the end to be recognized. REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?&lt;Risk_Action&gt;[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?&lt;IP_Address&gt;[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?&lt;Computer_Name&gt;[[sep_file_field]]))?,\s*(?:Source:\s*(?&lt;Source&gt;[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?&lt;Risk_Name&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?&lt;file_path&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?:Actual\saction:\s*(?&lt;vendor_action&gt;[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?&lt;Requested_Action&gt;[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?&lt;Secondary_Action&gt;[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?&lt;Event_Time&gt;[[sep_file_field]]))?,\s*(?:Inserted:\s*(?&lt;Event_Insert_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?&lt;Last_Update_Time&gt;[[sep_file_field]]))?,\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Group:\s*(?&lt;Group_Name&gt;[[sep_file_field]]))?,\s*(?:Server:\s*(?&lt;Server_Name&gt;[[sep_file_field]]))?,\s*(?&lt;user&gt;[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?&lt;Source_Computer_Name&gt;[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?&lt;Source_Computer_IP&gt;[[sep_file_field]]))?,\s*(?:Disposition:\s*(?&lt;Disposition&gt;[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?&lt;Download_Site&gt;[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?&lt;Web_Domain&gt;.*))?,\s*(?:Downloaded\sby:\s*(?&lt;Downloaded_By&gt;[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?&lt;Prevalence&gt;[[sep_file_field]]))?,\s*(?:Confidence:\s*(?&lt;Confidence&gt;[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?&lt;URL_Tracking_Status&gt;[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?&lt;First_Seen&gt;[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?&lt;Sensitivity&gt;[[sep_file_field]]))?,\s*(?&lt;Reason_For_White_Listing&gt;[[sep_file_field]]),\s*(?:Application\shash:\s*(?&lt;Application_Hash&gt;[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?&lt;Hash_Type&gt;[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?&lt;Company_Name&gt;.*))?,\s*(?:Application\sname:\s(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P&lt;Application_Version&gt;.*))?,\s*(?:Application\stype:\s*(?&lt;Application_Type&gt;[[sep_file_field]]))?,\s*(?:File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?&lt;Category_Set&gt;[[sep_file_field]]),\s*Category\stype:\s*(?&lt;Category_Type&gt;[[sep_file_field]]))?,?\s*(?:Location:\s*(?&lt;Location&gt;[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?&lt;Intensive_Protection_Level&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?&lt;Certificate_Issuer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?&lt;Certificate_Signer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?&lt;Certificate_Thumbprint&gt;[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?&lt;Signing_Timestamp&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?&lt;Certificate_Serial_Number&gt;[[sep_file_field]]))? [field_extraction_for_agt_proactive] ### Modified Regex, moved certificate tags to the end like the agt_risk one. REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?&lt;Risk_Action&gt;[[sep_file_field]]),\s*(?:Computer\sname:\s*(?&lt;Computer_Name&gt;[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?&lt;IP_Address&gt;[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?&lt;Detection_Type&gt;[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?&lt;First_Seen&gt;[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?&lt;Application_Type&gt;[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?&lt;Application_Version&gt;[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?&lt;Hash_Type&gt;[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?&lt;Application_Hash&gt;[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?&lt;Company_Name&gt;.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?&lt;Sensitivity&gt;[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?&lt;Detection_Score&gt;[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?&lt;COH_Engine_Version&gt;[[sep_file_field]]))?,\s*(?&lt;Submission_Recommendation&gt;[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?&lt;Permitted_Application_Reason&gt;[[sep_file_field]]))?,\s*(?:Disposition:\s*(?&lt;Disposition&gt;[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?&lt;Download_Site&gt;[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?&lt;Web_Domain&gt;.*))?,\s*(?:Downloaded\sby:\s*(?&lt;Downloaded_By&gt;[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?&lt;Prevalence&gt;[[sep_file_field]]))?,\s*(?:Confidence:\s*(?&lt;Confidence&gt;[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?&lt;URL_Tracking_Status&gt;[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?&lt;Risk_Level&gt;[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?&lt;Risk_Type&gt;[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?&lt;Detection_Source&gt;[[sep_file_field]]))?,\s*(?:Source:\s*(?&lt;Source&gt;[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?&lt;Risk_Name&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?&lt;file_path&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?:Actual\saction:\s*(?&lt;vendor_action&gt;[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?&lt;Requested_Action&gt;[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?&lt;Secondary_Action&gt;[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?&lt;Event_Time&gt;[[sep_file_field]]))?,\s*(?:Inserted:\s*(?&lt;Event_Insert_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Group:\s*(?&lt;Group_Name&gt;[[sep_file_field]]))?,\s*(?:Server:\s*(?&lt;Server_Name&gt;[[sep_file_field]]))?,\s*(?&lt;user&gt;[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?&lt;Source_Computer_Name&gt;[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?&lt;Source_Computer_IP&gt;[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?&lt;Intensive_Protection_Level&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?&lt;Certificate_Issuer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?&lt;Certificate_Signer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?&lt;Certificate_Thumbprint&gt;[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?&lt;Signing_Timestamp&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?&lt;Certificate_Serial_Number&gt;[[sep_file_field]]))? </CODE></PRE> <P>Hope this works for you.</P> Mon, 02 Dec 2019 13:57:59 GMT cascompany 2019-12-02T13:57:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454500#M55893 <P>Symantec slightly change the log format for 14.2 RU1... add these to transforms.conf in /local and you'll be good to go.</P> <P>[field_extraction_for_traffic]<BR /> REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Local Host:\s*(?[[sep_file_field]]))?,\s*(?:Local Port:\s*(?[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?[[sep_file_field]]))?,\s*(?:Remote Port:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?:Application:\s*(?[[sep_file_field]]))?,\s*(?:Rule:\s*(?[[sep_file_field]]))?,\s*(?:Location:\s*(?[[sep_file_field]]))?,\s*(?:User:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Action:\s*(?[[sep_file_field]]))?,\s*(?:SHA-256:\s*(?[[sep_file_field]]))?,\s*(?:MD-5:\s*(?[[sep_file_field]]))?</P> <P>[field_extraction_for_agt_security]<BR /> REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Event Description:\s*(?[[sep_file_field]])),\s*(?:Local:\s*(?[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?:Application:\s*(?[[sep_file_field]]))?,\s*(?:Location:\s*(?[[sep_file_field]]))?,\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Local\sPort\s*(?[[sep_file_field]]))?,\s*(?:Remote\sPort\s*(?[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sID:\s*(?[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sstring:\s*(?[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sSubID:\s*(?[[sep_file_field]]))?,\s*(?:Intrusion\sURL:\s*(?[[sep_file_field]]))?,\s*(?:Intrusion\sPayload\sURL:\s*(?[[sep_file_field]]))?,?\s*(?:SHA-256:\s*(?[[sep_file_field]]))?,?\s*(?:MD-5:\s*(?[[sep_file_field]]))?</P> <P>[field_extraction_for_agt_risk]<BR /> REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?[^,']<EM>'[^']</EM>'|[^,"]<EM>"[^"]</EM>|[^,]<EM>))?,\s</EM>(?:Source:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Actual\saction:\s*(?[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?[[sep_file_field]]))?,s*(?:Inserted:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Group:\s*(?[[sep_file_field]]))?,\s*(?:Server:\s*(?[[sep_file_field]]))?,\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Source\scomputer:\s*(?[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?[[sep_file_field]]))?,\s*(?:Disposition:\s*(?[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?.<EM>))?,\s</EM>(?:Downloaded\sby:\s*(?[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?[[sep_file_field]]))?,\s*(?:Confidence:\s*(?[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Application\shash:\s*(?[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?.<EM>))?,\s</EM>(?:Application\sname:\s(?[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P.<EM>))?,\s</EM>(?:Application\stype:\s*(?[[sep_file_field]]))?,\s*(?:File\ssize\s(bytes):\s*(?[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?[[sep_file_field]]),\s*Category\stype:\s*(?[[sep_file_field]]))?,?\s*(?:Location:\s*(?[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?[[sep_file_field]]))?</P> <P>[field_extraction_for_agt_behavior]<BR /> REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),?\s*(?[[sep_file_field]])?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Rule:\s*(?[[sep_file_field]])),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?[[sep_file_field]]))?(?:,\s*File\ssize\s(bytes):\s*(?[[sep_file_field]]),\s*Device\sID:\s*(?[[sep_file_field]]))?$</P> <P>[field_extraction_for_agt_proactive]<BR /> REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?:Computer\sname:\s*(?[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?.<EM>))?,\s</EM>(?:File\ssize\s(bytes):\s*(?[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?[[sep_file_field]]))?,\s*(?:Disposition:\s*(?[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?.<EM>))?,\s</EM>(?:Downloaded\sby:\s*(?[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?[[sep_file_field]]))?,\s*(?:Confidence:\s*(?[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?[[sep_file_field]]))?,\s*(?:Source:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Actual\saction:\s*(?[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?[[sep_file_field]]))?,\s*(?:Inserted:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Group:\s*(?[[sep_file_field]]))?,\s*(?:Server:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?[[sep_file_field]]))?</P> Wed, 30 Sep 2020 00:30:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454500#M55893 jtwind_2 2020-09-30T00:30:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454501#M55894 <P>what version does this work on? </P> <P>I am getting this on 7.0.3;</P> <P>Bad regex value: ... / REGEX; why: unrecognized character after (? or (?-<BR /> for all those stanzas</P> Fri, 17 May 2019 09:28:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454501#M55894 GDustin 2019-05-17T09:28:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454502#M55895 <P>@jtwind_2 <BR /> Can you repost with the Code sample option?<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7041iD425EB5BDD4FB6C8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>This is from the old 2.3.0 transforms[as an example];</P> <PRE><CODE>(?i)(?:[[sep_file_prefix]]),\s*(?&lt;Risk_Action&gt;[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?&lt;IP_Address&gt;[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?&lt;Computer_Name&gt;[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?&lt;Intensive_Protection_Level&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?&lt;Certificate_Issuer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?&lt;Certificate_Signer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?&lt;Certificate_Thumbprint&gt;[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?&lt;Signing_Timestamp&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?&lt;Certificate_Serial_Number&gt;[[sep_file_field]]))?,\s*(?:Source:\s*(?&lt;Source&gt;[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?&lt;Risk_Name&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?&lt;file_path&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?:Actual\saction:\s*(?&lt;vendor_action&gt;[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?&lt;Requested_Action&gt;[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?&lt;Secondary_Action&gt;[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?&lt;Event_Time&gt;[[sep_file_field]]))?,\s*(?:Inserted:\s*(?&lt;Event_Insert_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?&lt;Last_Update_Time&gt;[[sep_file_field]]))?,\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Group:\s*(?&lt;Group_Name&gt;[[sep_file_field]]))?,\s*(?:Server:\s*(?&lt;Server_Name&gt;[[sep_file_field]]))?,\s*(?&lt;user&gt;[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?&lt;Source_Computer_Name&gt;[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?&lt;Source_Computer_IP&gt;[[sep_file_field]]))?,\s*(?:Disposition:\s*(?&lt;Disposition&gt;[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?&lt;Download_Site&gt;[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?&lt;Web_Domain&gt;.*))?,\s*(?:Downloaded\sby:\s*(?&lt;Downloaded_By&gt;[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?&lt;Prevalence&gt;[[sep_file_field]]))?,\s*(?:Confidence:\s*(?&lt;Confidence&gt;[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?&lt;URL_Tracking_Status&gt;[[sep_file_field]]))?,\s*(?&lt;Unknown_Field&gt;[[sep_file_field]]),\s*(?:First\sseen:\s*(?&lt;First_Seen&gt;[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?&lt;Sensitivity&gt;[[sep_file_field]]))?,\s*(?&lt;Reason_For_White_Listing&gt;[[sep_file_field]]),\s*(?:Application\shash:\s*(?&lt;Application_Hash&gt;[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?&lt;Hash_Type&gt;[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?&lt;Company_Name&gt;.*))?,\s*(?:Application\sname:\s(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P&lt;Application_Version&gt;.*))?,\s*(?:Application\stype:\s*(?&lt;Application_Type&gt;[[sep_file_field]]))?,\s*(?:File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?&lt;Category_Set&gt;[[sep_file_field]]),\s*Category\stype:\s*(?&lt;Category_Type&gt;[[sep_file_field]]))?,?\s*(?:Location:\s*(?&lt;Location&gt;[[sep_file_field]]))? </CODE></PRE> Fri, 17 May 2019 10:57:32 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454502#M55895 GDustin 2019-05-17T10:57:32Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454503#M55896 <P>I am also getting the Bad Regex error, but I'm confused by the latest post. I tried adding the (or whatever the verbiage was between the &lt;&gt; in the original transforms Regex per the applicable stanza) in the local file regex where it had been in the original transforms Regex, but am still getting the error. I'm unsure if this was the recommendation, or what additional regex tweaking needs to be performed. Anyone know if Splunk will be putting out an updated TA for these critical parsing changes?</P> Mon, 20 May 2019 17:45:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454503#M55896 rriegert 2019-05-20T17:45:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454504#M55897 <P>Try this:... you'll also want to be running v 2.3.0 (latest as of this writing) of the Symantec add-on... <A href="https://splunkbase.splunk.com/app/2772/">https://splunkbase.splunk.com/app/2772/</A></P> <PRE><CODE>[field_extraction_for_traffic] REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?&lt;vendor_severity&gt;[[sep_file_field]]),\s*(?&lt;Host_Name&gt;[[sep_file_field]]),\s*(?:Local Host:\s*(?&lt;Local_Host_IP&gt;[[sep_file_field]]))?,\s*(?:Local Port:\s*(?&lt;Local_Port&gt;[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?&lt;Local_Host_MAC&gt;[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?&lt;Remote_Host_IP&gt;[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?&lt;Remote_Host_Name&gt;[[sep_file_field]]))?,\s*(?:Remote Port:\s*(?&lt;Remote_Port&gt;[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?&lt;Remote_Host_MAC&gt;[[sep_file_field]]))?,\s*(?&lt;Network_Protocol&gt;[[sep_file_field]]),\s*(?&lt;Traffic_Direction&gt;[[sep_file_field]]),\s*(?:Begin:\s*(?&lt;Begin_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?:Application:\s*(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Rule:\s*(?&lt;rule&gt;[[sep_file_field]]))?,\s*(?:Location:\s*(?&lt;Location&gt;[[sep_file_field]]))?,\s*(?:User:\s*(?&lt;user&gt;[[sep_file_field]]))?,\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Action:\s*(?&lt;vendor_action&gt;[[sep_file_field]]))?,\s*(?:SHA-256:\s*(?&lt;SHA_256&gt;[[sep_file_field]]))?,\s*(?:MD-5:\s*(?&lt;MD_5&gt;[[sep_file_field]]))? [field_extraction_for_agt_security] REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?&lt;vendor_severity&gt;[[sep_file_field]]),\s*(?&lt;Host_Name&gt;[[sep_file_field]]),\s*(?:Event Description:\s*(?&lt;Event_Description&gt;[[sep_file_field]])),\s*(?:Local:\s*(?&lt;Local_Host_IP&gt;[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?&lt;Local_Host_MAC&gt;[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?&lt;Remote_Host_Name&gt;[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?&lt;Remote_Host_IP&gt;[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?&lt;Remote_Host_MAC&gt;[[sep_file_field]]))?,\s*(?&lt;Traffic_Direction&gt;[[sep_file_field]]),\s*(?&lt;Network_Protocol&gt;[[sep_file_field]]),\s*(?&lt;Hack_Type&gt;[[sep_file_field]]),\s*(?:Begin:\s*(?&lt;Begin_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?:Application:\s*(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Location:\s*(?&lt;Location&gt;[[sep_file_field]]))?,\s*(?:User:\s*(?&lt;user&gt;[[sep_file_field]])),\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Local\sPort\s*(?&lt;Local_Port&gt;[[sep_file_field]]))?,\s*(?:Remote\sPort\s*(?&lt;Remote_Port&gt;[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sID:\s*(?&lt;CIDS_Signature_ID&gt;[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sstring:\s*(?&lt;CIDS_Signature_String&gt;[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sSubID:\s*(?&lt;CIDS_Signature_SubID&gt;[[sep_file_field]]))?,\s*(?:Intrusion\sURL:\s*(?&lt;Intrusion_URL&gt;[[sep_file_field]]))?,\s*(?:Intrusion\sPayload\sURL:\s*(?&lt;Intrusion_Payload_URL&gt;[[sep_file_field]]))?,?\s*(?:SHA-256:\s*(?&lt;SHA_256&gt;[[sep_file_field]]))?,?\s*(?:MD-5:\s*(?&lt;MD_5&gt;[[sep_file_field]]))? [field_extraction_for_agt_risk] REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?&lt;Risk_Action&gt;[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?&lt;IP_Address&gt;[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?&lt;Computer_Name&gt;[^,']*'[^']*'|[^,"]*"[^"]*|[^,]*))?,\s*(?:Source:\s*(?&lt;Source&gt;[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?&lt;Risk_Name&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?&lt;file_path&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?:Actual\saction:\s*(?&lt;vendor_action&gt;[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?&lt;Requested_Action&gt;[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?&lt;Secondary_Action&gt;[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?&lt;Event_Time&gt;[[sep_file_field]]))?,s*(?:Inserted:\s*(?&lt;Event_Insert_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?&lt;Last_Update_Time&gt;[[sep_file_field]]))?,\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Group:\s*(?&lt;Group_Name&gt;[[sep_file_field]]))?,\s*(?:Server:\s*(?&lt;Server_Name&gt;[[sep_file_field]]))?,\s*(?:User:\s*(?&lt;user&gt;[[sep_file_field]])),\s*(?:Source\scomputer:\s*(?&lt;Source_Computer_Name&gt;[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?&lt;Source_Computer_IP&gt;[[sep_file_field]]))?,\s*(?:Disposition:\s*(?&lt;Disposition&gt;[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?&lt;Download_Site&gt;[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?&lt;Web_Domain&gt;.*))?,\s*(?:Downloaded\sby:\s*(?&lt;Downloaded_By&gt;[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?&lt;Prevalence&gt;[[sep_file_field]]))?,\s*(?:Confidence:\s*(?&lt;Confidence&gt;[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?&lt;URL_Tracking_Status&gt;[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?&lt;First_Seen&gt;[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?&lt;Sensitivity&gt;[[sep_file_field]]))?,\s*(?&lt;Reason_For_White_Listing&gt;[[sep_file_field]]),\s*(?:Application\shash:\s*(?&lt;Application_Hash&gt;[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?&lt;Hash_Type&gt;[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?&lt;Company_Name&gt;.*))?,\s*(?:Application\sname:\s(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P&lt;Application_Version&gt;.*))?,\s*(?:Application\stype:\s*(?&lt;Application_Type&gt;[[sep_file_field]]))?,\s*(?:File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?&lt;Category_Set&gt;[[sep_file_field]]),\s*Category\stype:\s*(?&lt;Category_Type&gt;[[sep_file_field]]))?,?\s*(?:Location:\s*(?&lt;Location&gt;[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?&lt;Intensive_Protection_Level&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?&lt;Certificate_Issuer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?&lt;Certificate_Signer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?&lt;Certificate_Thumbprint&gt;[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?&lt;Signing_Timestamp&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?&lt;Certificate_Serial_Number&gt;[[sep_file_field]]))? [field_extraction_for_agt_behavior] REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?&lt;vendor_severity&gt;[[sep_file_field]]),\s*(?&lt;Host_Name&gt;[[sep_file_field]]),?\s*(?&lt;IP_Address&gt;[[sep_file_field]])?,\s*(?&lt;vendor_action&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?&lt;API&gt;[[sep_file_field]]),\s*(?:Begin:\s*(?&lt;Begin_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Rule:\s*(?&lt;rule&gt;[[sep_file_field]])),\s*(?&lt;Caller_Process_ID&gt;[[sep_file_field]]),\s*(?&lt;Caller_Process_Name&gt;[[sep_file_field]]),\s*(?&lt;Return_Address&gt;[[sep_file_field]]),\s*(?&lt;Return_Module&gt;[[sep_file_field]]),\s*(?&lt;Parameter&gt;[[sep_file_field]]),\s*(?:User:\s*(?&lt;user&gt;[[sep_file_field]])),\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?&lt;Action_Type&gt;[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]),\s*Device\sID:\s*(?&lt;Device_ID&gt;[[sep_file_field]]))?$ [field_extraction_for_agt_proactive] REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?&lt;Risk_Action&gt;[[sep_file_field]]),\s*(?:Computer\sname:\s*(?&lt;Computer_Name&gt;[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?&lt;IP_Address&gt;[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?&lt;Detection_Type&gt;[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?&lt;First_Seen&gt;[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?&lt;Application_Name&gt;[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?&lt;Application_Type&gt;[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?&lt;Application_Version&gt;[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?&lt;Hash_Type&gt;[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?&lt;Application_Hash&gt;[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?&lt;Company_Name&gt;.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?&lt;Sensitivity&gt;[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?&lt;Detection_Score&gt;[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?&lt;COH_Engine_Version&gt;[[sep_file_field]]))?,\s*(?&lt;Submission_Recommendation&gt;[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?&lt;Permitted_Application_Reason&gt;[[sep_file_field]]))?,\s*(?:Disposition:\s*(?&lt;Disposition&gt;[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?&lt;Download_Site&gt;[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?&lt;Web_Domain&gt;.*))?,\s*(?:Downloaded\sby:\s*(?&lt;Downloaded_By&gt;[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?&lt;Prevalence&gt;[[sep_file_field]]))?,\s*(?:Confidence:\s*(?&lt;Confidence&gt;[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?&lt;URL_Tracking_Status&gt;[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?&lt;Risk_Level&gt;[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?&lt;Risk_Type&gt;[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?&lt;Detection_Source&gt;[[sep_file_field]]))?,\s*(?:Source:\s*(?&lt;Source&gt;[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?&lt;Risk_Name&gt;[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?&lt;Occurrences&gt;[[sep_file_field]]))?,\s*(?&lt;file_path&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?:Actual\saction:\s*(?&lt;vendor_action&gt;[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?&lt;Requested_Action&gt;[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?&lt;Secondary_Action&gt;[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?&lt;Event_Time&gt;[[sep_file_field]]))?,\s*(?:Inserted:\s*(?&lt;Event_Insert_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Group:\s*(?&lt;Group_Name&gt;[[sep_file_field]]))?,\s*(?:Server:\s*(?&lt;Server_Name&gt;[[sep_file_field]]))?,\s*(?&lt;user&gt;[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?&lt;Source_Computer_Name&gt;[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?&lt;Source_Computer_IP&gt;[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?&lt;Intensive_Protection_Level&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?&lt;Certificate_Issuer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?&lt;Certificate_Signer&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?&lt;Certificate_Thumbprint&gt;[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?&lt;Signing_Timestamp&gt;[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?&lt;Certificate_Serial_Number&gt;[[sep_file_field]]))? </CODE></PRE> Mon, 20 May 2019 17:51:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454504#M55897 jtwind_2 2019-05-20T17:51:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454505#M55898 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/76118">@rriegert</a> see below, jt come through;</P> <P>attempt to reduce confusion:<BR /> Paste old code in something like regex101</P> <P>Take the smallest one as an example:<BR /> [field_extraction_for_agt_behavior]</P> <P>^(?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),?\s*(?[[sep_file_field]])?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Rule:\s*(?[[sep_file_field]])),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?[[sep_file_field]]))?(?:,\s*File\ssize\s(bytes):\s*(?[[sep_file_field]]),\s*Device\sID:\s*(?[[sep_file_field]]))?$</P> <P>Get these errors:<BR /> All the errors detected are listed below, from left to right, as they appear in the pattern.<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> ? The preceding token is not quantifiable<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure<BR /> (? Incomplete group structure<BR /> ) Incomplete group structure</P> <P><STRONG>The problem is when you paste a code such as:<BR /> ?<VENDOR_SEVERITY><BR /> Without the code option in the answers post, the:<BR /> <THISORTHAT><BR /> get's filtered or removed;</THISORTHAT></VENDOR_SEVERITY></STRONG></P> <P>Now; Take the smallest one as an example below; and go paste that one in regex101 or similar:<BR /> [field_extraction_for_agt_behavior]</P> <PRE><CODE>^(?i)(?:[[sep_file_prefix]]),\s*(?&lt;vendor_severity&gt;[[sep_file_field]]),\s*(?&lt;Host_Name&gt;[[sep_file_field]]),?\s*(?&lt;IP_Address&gt;[[sep_file_field]])?,\s*(?&lt;vendor_action&gt;[[sep_file_field]]),\s*(?&lt;Description&gt;[[sep_file_field]]),\s*(?&lt;API&gt;[[sep_file_field]]),\s*(?:Begin:\s*(?&lt;Begin_Time&gt;[[sep_file_field]]))?,\s*(?:End:\s*(?&lt;End_Time&gt;[[sep_file_field]]))?,\s*(?:Rule:\s*(?&lt;rule&gt;[[sep_file_field]])),\s*(?&lt;Caller_Process_ID&gt;[[sep_file_field]]),\s*(?&lt;Caller_Process_Name&gt;[[sep_file_field]]),\s*(?&lt;Return_Address&gt;[[sep_file_field]]),\s*(?&lt;Return_Module&gt;[[sep_file_field]]),\s*(?&lt;Parameter&gt;[[sep_file_field]]),\s*(?:User:\s*(?&lt;user&gt;[[sep_file_field]])),\s*(?:Domain:\s*(?&lt;Domain_Name&gt;[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?&lt;Action_Type&gt;[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?&lt;File_Size&gt;[[sep_file_field]]),\s*Device\sID:\s*(?&lt;Device_ID&gt;[[sep_file_field]]))?$ </CODE></PRE> <P>...no errors</P> Wed, 30 Sep 2020 00:38:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454505#M55898 GDustin 2020-09-30T00:38:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454506#M55899 <P>So far worked in dev with a one-shot; looking good for prod;Thank you for sharing.</P> Tue, 21 May 2019 07:25:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454506#M55899 GDustin 2019-05-21T07:25:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454507#M55900 <P>some of my code above is still bad/not displaying correctly; it is not presenting the characters "&lt;" or "&gt;", sorry for the confusion</P> Wed, 22 May 2019 23:14:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454507#M55900 GDustin 2019-05-22T23:14:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454508#M55901 <P>i am using the following for my agt_risk extraction:</P> <P>[field_extraction_for_agt_risk]</P> <P>REGEX =(?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?[[sep_file_field]]))?,\s*(?:Source:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Actual\saction:\s*(?[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?[[sep_file_field]]))?,\s*(?:Inserted:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Group:\s*(?[[sep_file_field]]))?,\s*(?:Server:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?[[sep_file_field]]))?,\s*(?:Disposition:\s*(?[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?[[sep_file_field]]))?,\s*(?:Downloaded\sby:\s*(?[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?[[sep_file_field]]))?,\s*(?:Confidence:\s*(?[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Application\shash:\s*(?[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?.<EM>))?,\s</EM>(?:Application\sname:\s(?[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?[[sep_file_field]]))?,\s*(?:File\ssize\s(bytes):\s*(?[[sep_file_field]]))?,\s*(?:Category\sset:\s*(?[[sep_file_field]]))?,\s*(?:Category\stype:\s*(?[[sep_file_field]]))?,?\s*(?:Location:\s*(?[[sep_file_field]]))?,\s*(?:Intensive\sProtection\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?[[sep_file_field]]))?</P> Wed, 30 Sep 2020 00:54:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454508#M55901 archme 2020-09-30T00:54:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454509#M55902 <P>This worked for me as well. In Splunk Cloud - updated the configuration via the webui and refreshed the searches. Thank you.</P> Wed, 31 Jul 2019 17:36:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454509#M55902 testrake_trek 2019-07-31T17:36:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454510#M55903 <P>We took a different approach as the transforms option gave us problems when not all the fields existed all this time in the events we were getting. As such we updated the local/props.conf with the the below and haven't had any problem reported yet:</P> <PRE><CODE>[symantec:ep:security:file] EXTRACT-security_file_fields = \[name\]:(?P&lt;name&gt;.+?)\[class\]:(?P&lt;class&gt;.+?)\[guid\]:(?P&lt;guid&gt;.+?)\[deviceID\]:(?P&lt;deviceID&gt;.+)[\\\\](?P&lt;deviceSN&gt;.+?)\, [symantec:ep:agents:db] FIELDALIAS-user = CURRENT_LOGIN_USER AS user FIELDALIAS-dest = COMPUTER_NAME AS dest FIELDALIAS-ip = ip_address AS dest_ip FIELDALIAS-dest_mac = mac_address AS dest_mac FIELDALIAS-domain = domain_name AS dest_nt_domain FIELDALIAS-product_ver = AGENT_VERSION AS product_version FIELDALIAS-signature_ver = AV_REVISION AS signature_version EVAL-vendor = "Symantec" EVAL-product = "Endpoint Protection" EVAL-vendor_product = "Symantec Endpoint Protection" [symantec:ep:proactive:file] EXTRACT-proactive_downloaded_by = Downloaded\sby\:\s(?&lt;Downloaded_By&gt;.*?[^\,]*) EXTRACT-proactive_prevalance = Prevalence\:\s(?&lt;Prevalence&gt;.*?[^\,]*) EXTRACT-proactive_url_track = URL\sTracking\sStatus\:\s(?&lt;URL_Tracking_Status&gt;.*?[^\,]*) EXTRACT-proactive_first_seen = First\sSeen\:\s(?&lt;First_Seen&gt;.*?[^\,]*) EXTRACT-proactive_sensitivity = Sensitivity\:\s(?&lt;Sensitivity&gt;.*?[^\,]*) EXTRACT-proactive_app_hash = Application\shash\:\s(?&lt;Application_Hash&gt;.*?[^\,]*) EXTRACT-proactive_hash_type = Hash\stype\:\s(?&lt;Hash_Type&gt;.*?[^\,]*) EXTRACT-proactive_app_name = Application\sname\:\s(?&lt;Application_Name&gt;.*?[^\,]*) EXTRACT-proactive_app_ver = Application\sversion\:\s(?&lt;Application_Version&gt;.*?[^\,]*) EXTRACT-proactive_app_type = Application\stype\:\s(?&lt;Application_Type&gt;.*?[^\,]*) EXTRACT-proactive_file_size = File\ssize\s\(bytes\)\:\s(?&lt;File_Size&gt;.*?[^\,]*) EXTRACT-proactive_location = Location\:\s(?&lt;Location&gt;.*?[^\,]*) EXTRACT-proactive_intensive_protection_lvl = Intensive\sProtection\sLevel\:\s(?&lt;Intensive_Protection_Level&gt;.*?[^\,]*) EXTRACT-proactive_cert_issuer = Certificate\sissuer\:\s(?&lt;Certificate_Issuer&gt;.*?[^\,]*) EXTRACT-proactive_cert_signer = Certificate\ssigner\:\s(?&lt;Certificate_Signer&gt;.*?[^\,]*) EXTRACT-proactive_cert_thumbprint = Certificate\sthumbprint\:\s(?&lt;Certificate_Thumbprint&gt;.*?[^\,]*) EXTRACT-proactive_signing_timestamp = Signing\stimestamp\:\s(?&lt;Signing_Timestamp&gt;.*?[^\,]*) EXTRACT-proactive_cert_serial_no = Certificate\sserial\snumber\:\s(?&lt;Certificate_Serial_Number&gt;.*?[^\,]*) EXTRACT-proactive_ip = IP\sAddress\:\s+(?&lt;IP_Address&gt;\d[^\,]+) EXTRACT-proactive_comp_name = Computer\sname\:\s(?&lt;Computer_Name&gt;\w[^\,]+) EXTRACT-proactive_src = Source\:\s(?&lt;Source&gt;\w[^\,]+) EXTRACT-proactive_name = Risk\sname\:\s(?&lt;Risk_Name&gt;\w[^\,]+) EXTRACT-proactive_occurrences = Occurrences\:\s+(?&lt;Occurrences&gt;\d[^\,]*)\,(?&lt;file_path&gt;\w[^\,]+)\,(?&lt;Description&gt;\w*) EXTRACT-proactive_actual_action = Actual\saction\:\s(?&lt;vendor_action&gt;\w[^\,]+) EXTRACT-proactive_requested_action = Requested\saction\:\s(?&lt;Requested_Action&gt;\w[^\,]+) EXTRACT-proactive_secondary_action = Secondary\saction\:\s(?&lt;Secondary_Action&gt;\w[^\,]+) EXTRACT-proactive_event_time = Event\stime\:\s(?&lt;Event_Time&gt;\d[^\,]+) EXTRACT-proactive_insert_time = Inserted\:\s(?&lt;Event_Insert_Time&gt;\d[^\,]+) EXTRACT-proactive_end_time = End\:\s(?&lt;End_Time&gt;\d[^\,]+) EXTRACT-proactive_domain_name = Domain\:\s(?&lt;Domain_Name&gt;\w[^\,]+) EXTRACT-proactive_group_name = Group\:\s(?&lt;Group_Name&gt;\w[^\,]+) EXTRACT-proactive_server_name = Server\:\s(?&lt;Server_Name&gt;\w[^\,]+) EXTRACT-proactive_user_name = User\:\s(?&lt;user&gt;\w[^\,]+) EXTRACT-proactive_src_name = Source\scomputer\:\s(?&lt;Source_Computer_Name&gt;.*?[^\,]*) EXTRACT-proactive_src_ip = Source\sIP\:\s(?&lt;Source_Computer_IP&gt;.*?[^\,]*) EXTRACT-proactive_disposition = Disposition\:\s(?&lt;Disposition&gt;\w[^\,]+) EXTRACT-proactive_download_site = Download\ssite\:\s(?&lt;Download_Site&gt;.*?[^\,]*) EXTRACT-proactive_web_domain = Web\sdomain\:\s(?&lt;Web_Domain&gt;.*?[^\,]*) EXTRACT-proactive_confidence = Confidence\:\s(?&lt;Confidence&gt;.*?[^\,]*) EXTRACT-proactive_action = ^[\d\-\s\:]+\,(?&lt;Risk_Action&gt;.*?[^\,]*) EXTRACT-proactive_detection_type = Detection\stype\:\s+(?&lt;Detection_Type&gt;.*?[^\,]*) EXTRACT-proactive_detection_score = Detection\sscore\:\s(?&lt;Detection_Score&gt;.*?[^\,]*) EXTRACT-proactive_coh_engine_ver = COH\sEngine\sVersion\:\s(?&lt;coh_engine_version&gt;.*?[^\,]*)\,(?&lt;Submission_Recommendation&gt;.*?[^\,]*) EXTRACT-proactive_permitted_app_reason = Permitted\sapplication\sreason\:\s(?&lt;Permitted_Application_Reason&gt;.*?[^\,]*) EXTRACT-proactive_risk_lvl = Risk\sLevel\:\s(?&lt;Risk_Level&gt;.*?[^\,]*) EXTRACT-proactive_risk_type = Risk\stype\:\s(?&lt;Risk_Type&gt;.*?[^\,]*) [symantec:ep:risk:file] EXTRACT-risk_downloaded_by = Downloaded\sby\:\s(?&lt;Downloaded_By&gt;.*?[^\,]*) EXTRACT-risk_prevalance = Prevalence\:\s(?&lt;Prevalence&gt;.*?[^\,]*) EXTRACT-risk_url_track = URL\sTracking\sStatus\:\s(?&lt;URL_Tracking_Status&gt;.*?[^\,]*) EXTRACT-risk_first_seen = First\sSeen\:\s(?&lt;First_Seen&gt;.*?[^\,]*) EXTRACT-risk_sensitivity = Sensitivity\:\s(?&lt;Sensitivity&gt;.*?[^\,]*)\,(?&lt;Reason_For_White_Listing&gt;.*?[^\,]*) EXTRACT-risk_app_hash = Application\shash\:\s(?&lt;Application_Hash&gt;.*?[^\,]*) EXTRACT-risk_hash_type = Hash\stype\:\s(?&lt;Hash_Type&gt;.*?[^\,]*) EXTRACT-risk_co_name = Company\sname\:\s(?&lt;Company_Name&gt;.*?[^\,]*) EXTRACT-risk_app_name = Application\sname\:\s(?&lt;Application_Name&gt;.*?[^\,]*) EXTRACT-risk_app_ver = Application\sversion\:\s(?&lt;Application_Version&gt;.*?[^\,]*) EXTRACT-risk_app_type = Application\stype\:\s(?&lt;Application_Type&gt;.*?[^\,]*) EXTRACT-risk_file_size = File\ssize\s\(bytes\)\:\s(?&lt;File_Size&gt;.*?[^\,]*) EXTRACT-risk_cat_set = Category\sset\:\s(?&lt;Category_Set&gt;.*?[^\,]*) EXTRACT-risk_cat_type = Category\stype\:\s(?&lt;Category_Type&gt;.*?[^\,]*) EXTRACT-risk_location = Location\:\s(?&lt;Location&gt;.*?[^\,]*) EXTRACT-risk_intensive_protection_lvl = Intensive\sProtection\sLevel\:\s(?&lt;Intensive_Protection_Level&gt;.*?[^\,]*) EXTRACT-risk_cert_issuer = Certificate\sissuer\:\s(?&lt;Certificate_Issuer&gt;.*?[^\,]*) EXTRACT-risk_cert_signer = Certificate\ssigner\:\s(?&lt;Certificate_Signer&gt;.*?[^\,]*) EXTRACT-risk_cert_thumbprint = Certificate\sthumbprint\:\s(?&lt;Certificate_Thumbprint&gt;.*?[^\,]*) EXTRACT-risk_signing_timestamp = Signing\stimestamp\:\s(?&lt;Signing_Timestamp&gt;.*?[^\,]*) EXTRACT-risk_cert_serial_no = Certificate\sserial\snumber\:\s(?&lt;Certificate_Serial_Number&gt;.*?[^\,]*) EXTRACT-risk_ip = IP\sAddress\:\s+(?&lt;IP_Address&gt;\d[^\,]+) EXTRACT-risk_comp_name = Computer\sname\:\s(?&lt;Computer_Name&gt;\w[^\,]+) EXTRACT-risk_src = Source\:\s(?&lt;Source&gt;\w[^\,]+) EXTRACT-risk_name = Risk\sname\:\s(?&lt;Risk_Name&gt;\w[^\,]+) EXTRACT-risk_occurrences = Occurrences\:\s+(?&lt;Occurrences&gt;\d[^\,]*)\,(?&lt;file_path&gt;\w[^\,]+)\,(?&lt;Description&gt;\w*) EXTRACT-risk_actual_action = Actual\saction\:\s(?&lt;vendor_action&gt;\w[^\,]+) EXTRACT-risk_requested_action = Requested\saction\:\s(?&lt;Requested_Action&gt;\w[^\,]+) EXTRACT-risk_secondary_action = Secondary\saction\:\s(?&lt;Secondary_Action&gt;\w[^\,]+) EXTRACT-risk_event_time = Event\stime\:\s(?&lt;Event_Time&gt;\d[^\,]+) EXTRACT-risk_insert_time = Inserted\:\s(?&lt;Event_Insert_Time&gt;\d[^\,]+) EXTRACT-risk_end_time = End\:\s(?&lt;End_Time&gt;\d[^\,]+) EXTRACT-risk_update_time = Last\supdate\stime\:\s(?&lt;Last_Update_Time&gt;\d[^\,]+) EXTRACT-risk_domain_name = Domain\:\s(?&lt;Domain_Name&gt;\w[^\,]+) EXTRACT-risk_group_name = Group\:\s(?&lt;Group_Name&gt;\w[^\,]+) EXTRACT-risk_server_name = Server\:\s(?&lt;Server_Name&gt;\w[^\,]+) EXTRACT-risk_user_name = User\:\s(?&lt;user&gt;\w[^\,]+) EXTRACT-risk_src_name = Source\scomputer\:\s(?&lt;Source_Computer_Name&gt;.*?[^\,]*) EXTRACT-risk_src_ip = Source\sIP\:\s(?&lt;Source_Computer_IP&gt;.*?[^\,]*) EXTRACT-risk_disposition = Disposition\:\s(?&lt;Disposition&gt;\w[^\,]+) EXTRACT-risk_download_site = Download\ssite\:\s(?&lt;Download_Site&gt;.*?[^\,]*) EXTRACT-risk_web_domain = Web\sdomain\:\s(?&lt;Web_Domain&gt;.*?[^\,]*) EXTRACT-risk_confidence = Confidence\:\s(?&lt;Confidence&gt;.*?[^\,]*) EXTRACT-risk_action = ^[\d\-\s\:]+\,(?&lt;Risk_Action&gt;.*?[^\,]*) [symantec:ep:security:file] EXTRACT-security_vendor_severity = ^[\d\-\s\:]+\,(?&lt;vendor_severity&gt;.*?[^\,]*)\,(?&lt;Host_Name&gt;\w[^\,]+) EXTRACT-security_event_desc = Event\sDescription(.*?)(?:\"\,|\s\w+\:|\s+\[\w+\]\:) EXTRACT-security_domain_name = Domain\:\s(?&lt;Domain_Name&gt;\w[^\,]+) EXTRACT-security_location = Location\:\s(?&lt;Location&gt;.*?[^\,]*) EXTRACT-security_begin_time = Begin\:\s(?&lt;Begin_Time&gt;\d[^\,]+) EXTRACT-security_end_time = End\:\s(?&lt;End_Time&gt;\d[^\,]+) EXTRACT-security_occurrences = Occurrences\:\s+(?&lt;Occurrences&gt;\d[^\,]*) EXTRACT-security_user_name = User\:\s(?&lt;user&gt;\w[^\,]+) EXTRACT-security_local_pt = Local\sPort\:\s+(?&lt;Local_Port&gt;\d[^\,]*) EXTRACT-security_remote_pt = Remote\sPort\:\s+(?&lt;Remote_Port&gt;\d[^\,]*) EXTRACT-security_local_ip = Local\:\s+(?&lt;Local_Host_IP&gt;\d[^\,]+) EXTRACT-security_remote_name = Remote\s\Host\sName\:\s(?&lt;Remote_Host_Name&gt;.*?[^\,]*) EXTRACT-security_remote_ip = Remote\sHost\sIP\:\s(?&lt;Remote_Host_IP&gt;\d[^\,]+) EXTRACT-security_local_mac = Local\sHost\sMAC\:\s(?&lt;Local_Host_MAC&gt;\w[^\,]+) EXTRACT-security_intrusion_url = Intrusion\sURL\:\s(?&lt;Intrusion_URL&gt;.*?[^\,]*) EXTRACT-security_intrusion_payload_url = Intrusion\sPayload\sURL\:\s(?&lt;Intrusion_Payload_URL&gt;.*?[^\,]*) EXTRACT-security_md5 = MD\-5\:\s(?&lt;MD_5&gt;.*?[^\,]*) EXTRACT-security_sha256 = SHA\-256\:\s(?&lt;SHA_256&gt;.*?[^\,]*) EXTRACT-security_signature_id = CIDS\sSignature\sID\:\s(?&lt;CIDS_Signature_ID&gt;.*?[^\,]*) EXTRACT-security_signature_string = CIDS\sSignature\sstring\:\s(?&lt;CIDS_Signature_String&gt;.*?[^\,]*) EXTRACT-security_signature_subid = CIDS\sSignature\sSubID\:\s(?&lt;CIDS_Signature_SubID&gt;.*?[^\,]*) EXTRACT-security_app_name = Application\:\s(?&lt;Application_Name&gt;.*?[^\,]*) EXTRACT-security_remote_mac = Remote\sHost\sMAC\:\s(?&lt;Remote_Host_MAC&gt;\d[^\,]+)\,(?&lt;Traffic_Direction&gt;\w[^\,]+)\,(?&lt;Network_Protocol&gt;\d[^\,]*)\,(?&lt;Hack_Type&gt;\w*) EXTRACT-security_app_path = Application\spath\:\s(?&lt;Application_Path&gt;.*?[^\,]*) EXTRACT-security_sid = \[SID\:\s(?&lt;SID&gt;\d[^\]]+) EXTRACT-security_audit = Audit\:\s(?&lt;Audit&gt;.*?[^\,.]*)(?=.\s|\,) EXTRACT-security_requirement = Requirement\:\s(?&lt;Requirement1&gt;.*?[^\,]*)\sRequirement\:\s(?&lt;Requirement2&gt;.*?[^\,]*) [symantec:ep:traffic:file] EXTRACT-traffic_vendor_severity = ^[\d\-\s\:]+\,(?&lt;vendor_severity&gt;.*?[^\,]*)\,(?&lt;Host_Name&gt;\w[^\,]+) EXTRACT-traffic_domain_name = Domain\:\s(?&lt;Domain_Name&gt;\w[^\,]+) EXTRACT-traffic_location = Location\:\s(?&lt;Location&gt;.*?[^\,]*) EXTRACT-traffic_begin_time = Begin\:\s(?&lt;Begin_Time&gt;\d[^\,]+) EXTRACT-traffic_end_time = End\:\s(?&lt;End_Time&gt;\d[^\,]+) EXTRACT-traffic_occurrences = Occurrences\:\s+(?&lt;Occurrences&gt;\d[^\,]*) EXTRACT-traffic_user_name = User\:\s(?&lt;user&gt;\w[^\,]+) EXTRACT-traffic_local_pt = Local\sPort\:\s+(?&lt;Local_Port&gt;\d[^\,]*) EXTRACT-traffic_remote_pt = Remote\sPort\:\s+(?&lt;Remote_Port&gt;\d[^\,]*) EXTRACT-traffic_remote_name = Remote\s\Host\sName\:\s(?&lt;Remote_Host_Name&gt;.*?[^\,]*) EXTRACT-traffic_remote_ip = Remote\sHost\sIP\:\s(?&lt;Remote_Host_IP&gt;\d[^\,]+) EXTRACT-traffic_local_mac = Local\sHost\sMAC\:\s(?&lt;Local_Host_MAC&gt;\w[^\,]+) EXTRACT-traffic_md5 = MD\-5\:\s(?&lt;MD_5&gt;.*?[^\,]*) EXTRACT-traffic_sha256 = SHA\-256\:\s(?&lt;SHA_256&gt;.*?[^\,]*) EXTRACT-traffic_app_name = Application\:\s(?&lt;Application_Name&gt;.*?[^\,]*) EXTRACT-traffic_local_ip = Local\sHost\:\s+(?&lt;Local_Host_IP&gt;\d[^\,]+) EXTRACT-traffic_remote_mac = Remote\sHost\sMAC\:\s(?&lt;Remote_Host_MAC&gt;\d[^\,]+)\,(?&lt;Network_Protocol&gt;\d[^\,]*)\,(?&lt;Traffic_Direction&gt;\w[^\,]+) EXTRACT-traffic_vendor_action = Action\:\s(?&lt;vendor_action&gt;\w[^\,]+) EXTRACT-traffic_rule_name = Rule\:\s(?&lt;Rule_Name&gt;\w[^\,]+) </CODE></PRE> Wed, 31 Jul 2019 18:42:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454510#M55903 csperry_splunk 2019-07-31T18:42:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454511#M55904 <P>Thanks for putting this together. It worked perfectly.</P> Thu, 22 Aug 2019 13:04:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454511#M55904 rubacker527 2019-08-22T13:04:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454512#M55905 <P>You mean <CODE>props.conf</CODE>, correct?</P> Fri, 23 Aug 2019 14:43:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454512#M55905 dshpritz 2019-08-23T14:43:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454513#M55906 <P>That is exactly what I meant. I just typed the wrong file name in.</P> Fri, 23 Aug 2019 14:50:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454513#M55906 csperry_splunk 2019-08-23T14:50:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454514#M55907 <P>Fixed the bad file name---thanks</P> Fri, 23 Aug 2019 14:51:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454514#M55907 csperry_splunk 2019-08-23T14:51:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454515#M55908 <P>@csperry my guys just deployed 14.2RU1Mp1 any idea if that one is covered by your props method? Immediately my analysts told me; symantec:ep:security:file / [field_extraction_for_agt_security] went away; the only change I saw was "Local:" went to "Local Host IP:" in the raw logs, so I tried to rig some tests with | rex but it does not seem to fix all of it, but i am only just learning. If you have any insight or an update I'll buy you a cola and conf man. I'll see if I can put your props up on the SHC after hours tonight.</P> Wed, 30 Sep 2020 01:55:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454515#M55908 GDustin 2020-09-30T01:55:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454516#M55909 <P>14.2RU1Mp1 (14.2.4814.1101).<BR /> <A href="https://support.symantec.com/us/en/article.TECH154475.html">https://support.symantec.com/us/en/article.TECH154475.html</A><BR /> Name Version/Build Release Date<BR /> (General Availability)<BR /> 14.2.1.1 (14.2 RU1 MP1) 14.2.4814.1101 August 20, 2019</P> Tue, 27 Aug 2019 05:27:48 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454516#M55909 GDustin 2019-08-27T05:27:48Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454517#M55910 <P>@csperry; False alarm, yes props method looks good and gets our dashboards populating again; Thanks.</P> <P>`<BR /> symantec:ep:security:file : EXTRACT-security_local_ip<BR /> Inline Local\sHost\sIP:\s+(?<LOCAL_HOST_IP>\d[^\,]+) No owner Splunk_TA_symantec-ep Global </LOCAL_HOST_IP></P> <P>[“Original”] Local:\s+(?\d[^\,]+)<BR /> [“No Go”] Local Host IP:\s+(?\d[^\,]+)<BR /> [“Go”] Local\sHost\sIP:\s+(?\d[^\,]+)<BR /> `</P> Wed, 30 Sep 2020 01:56:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454517#M55910 GDustin 2020-09-30T01:56:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454518#M55911 <P>Thanks, this worked for me</P> Wed, 28 Aug 2019 05:49:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454518#M55911 dsofoulis 2019-08-28T05:49:27Z https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454519#M55912 <P>This is a much better idea.</P> Mon, 16 Sep 2019 06:10:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/SEP-14-2-RU1-log-format-change/m-p/454519#M55912 jeremyhagand61 2019-09-16T06:10:56Z