I am new to using the Transfroms.conf and props.conf to manipulate data. The issue we are experiencing is in our WinEventLog data, we have a field that comes over as Creator Process Name

Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

However most of the correlation searches are looking for process name, parent process name, etc. I have created a field alias to have the Creator Process Name also follow parent process name. I am trying to use Transforms and props in order to drop most of the file path for process name field, for example:

Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Process Name: splunkd.exe

Here is my current entry in Transfroms.conf

[Creator_Process_Name_as_process_name]
SOURCE_KEY = Creator_Process_Name
REGEX = \t\w:.*[\\](?<process_name>.*)\n
FORMAT = process_name::$1

and in Props.conf

TRANSFORMS-Creator_Process_Name_as_process_name = Creator_Process_Name_AS_process_name

Doesn't seem to be working like it should, I actually do get a process name populated but it is the whole flie path. Regex101 seems to show the Regex to be correct in just pulling the .exe