https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555193#M157586 <P>I'm trying to get this extraction for the filename to work via transforms.conf but it isn't working. Any ideas?</P><P>[My_source_type]</P><P>REPORT-file= extract_file</P><P>&nbsp;</P><P>[extract_file]</P><P>REGEX =&lt;Data Name='TargetFilename'&gt;.*\\\\(?&lt;file&gt;[\S\s+]*)&lt;\/Data&gt;</P><P>FORMAT = file:$3</P><P>&nbsp;</P><P>&lt;Event xmlns='omitted&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Sysmon' Guid='{omitted}'/&gt;&lt;EventID&gt;2&lt;/EventID&gt;&lt;Version&gt;4&lt;/Version&gt;&lt;Level&gt;4&lt;/Level&gt;&lt;Task&gt;2&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;omitted&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2021-06-09T16:31:46.813927400Z'/&gt;&lt;EventRecordID&gt;947063&lt;/EventRecordID&gt;&lt;Correlation/&gt;&lt;Execution ProcessID='4824' ThreadID='6932'/&gt;&lt;Channel&gt;Microsoft-Windows-Sysmon/Operational&lt;/Channel&gt;&lt;Computer&gt;omitted&lt;/Computer&gt;&lt;Security UserID='S-1-5-18'/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='RuleName'&gt;&lt;/Data&gt;&lt;Data Name='UtcTime'&gt;2021-06-09 16:31:46.813&lt;/Data&gt;&lt;Data Name='ProcessGuid'&gt;{omitted}&lt;/Data&gt;&lt;Data Name='ProcessId'&gt;11932&lt;/Data&gt;&lt;Data Name='Image'&gt;C:\Users\omitted\AppData\Local\Microsoft\Teams\current\Teams.exe&lt;/Data&gt;&lt;Data Name='TargetFilename'&gt;C:\Users\omitted\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<STRONG>EJ5T0WEDS801S4OF2UEY.temp</STRONG>&lt;/Data&gt;&lt;Data Name='CreationUtcTime'&gt;2020-04-21 21:00:25.187&lt;/Data&gt;&lt;Data Name='PreviousCreationUtcTime'&gt;2021-06-09 16:31:46.802&lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt;</P> Wed, 09 Jun 2021 22:39:04 GMT TheBravoSierra 2021-06-09T22:39:04Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555193#M157586 <P>I'm trying to get this extraction for the filename to work via transforms.conf but it isn't working. Any ideas?</P><P>[My_source_type]</P><P>REPORT-file= extract_file</P><P>&nbsp;</P><P>[extract_file]</P><P>REGEX =&lt;Data Name='TargetFilename'&gt;.*\\\\(?&lt;file&gt;[\S\s+]*)&lt;\/Data&gt;</P><P>FORMAT = file:$3</P><P>&nbsp;</P><P>&lt;Event xmlns='omitted&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Sysmon' Guid='{omitted}'/&gt;&lt;EventID&gt;2&lt;/EventID&gt;&lt;Version&gt;4&lt;/Version&gt;&lt;Level&gt;4&lt;/Level&gt;&lt;Task&gt;2&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;omitted&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2021-06-09T16:31:46.813927400Z'/&gt;&lt;EventRecordID&gt;947063&lt;/EventRecordID&gt;&lt;Correlation/&gt;&lt;Execution ProcessID='4824' ThreadID='6932'/&gt;&lt;Channel&gt;Microsoft-Windows-Sysmon/Operational&lt;/Channel&gt;&lt;Computer&gt;omitted&lt;/Computer&gt;&lt;Security UserID='S-1-5-18'/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='RuleName'&gt;&lt;/Data&gt;&lt;Data Name='UtcTime'&gt;2021-06-09 16:31:46.813&lt;/Data&gt;&lt;Data Name='ProcessGuid'&gt;{omitted}&lt;/Data&gt;&lt;Data Name='ProcessId'&gt;11932&lt;/Data&gt;&lt;Data Name='Image'&gt;C:\Users\omitted\AppData\Local\Microsoft\Teams\current\Teams.exe&lt;/Data&gt;&lt;Data Name='TargetFilename'&gt;C:\Users\omitted\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<STRONG>EJ5T0WEDS801S4OF2UEY.temp</STRONG>&lt;/Data&gt;&lt;Data Name='CreationUtcTime'&gt;2020-04-21 21:00:25.187&lt;/Data&gt;&lt;Data Name='PreviousCreationUtcTime'&gt;2021-06-09 16:31:46.802&lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt;</P> Wed, 09 Jun 2021 22:39:04 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555193#M157586 TheBravoSierra 2021-06-09T22:39:04Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555216#M157595 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230424">@TheBravoSierra</a>&nbsp;,<BR /><BR />Can you check if the following works?<BR />&lt;Data Name='TargetFilename'&gt;.*\\(?&lt;file&gt;[\S\s+]*)&lt;\/Data&gt;</P> Thu, 10 Jun 2021 04:45:29 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555216#M157595 t_shreya 2021-06-10T04:45:29Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555221#M157597 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230424">@TheBravoSierra</a>&nbsp;</P><LI-CODE lang="markup">[My_source_type] REPORT-file= extract_file [extract_file] REGEX = \&lt;Data Name\=\'TargetFilename\'\&gt;.*\\(?&lt;file&gt;[^&lt;]+) FORMAT = file::$1</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rex_test.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14565iC0E5FA4C835DC82F/image-size/medium?v=v2&amp;px=400" role="button" title="rex_test.PNG" alt="rex_test.PNG" /></span></P><P>-----</P><P>An upvote would be appreciated if it helps!</P> Thu, 10 Jun 2021 05:27:53 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transforms-conf/m-p/555221#M157597 venkatasri 2021-06-10T05:27:53Z