I have a source which is csv but has no headers. I'm trying to set up props.conf and transforms.conf to supply these rather than have to edit every csv file to add them, but the darn thing won't work. Here is props.conf: [winsec_csv] TRANSFORMS-winsec = extract_winsec

transforms.conf: [extract_winsec] DELIMS="," REGEX=* FIELDS = "logtype", "time", "logtype1", "eventcode", "status", "actiontype", "userid", "dc", "message"

Sample events: SEC,06/05/2010 10:31:24,Security,540,Success,Logon/Logoff ,UNISUPER\MEPUTIL04$,MEPDOM02,Successful Network Logon:^User Name: MEPUTIL04$^ Domain: UNISUPER^Logon ID: (0x0 0x27048EFB)^ Logon Type: 3^Logon Process: Kerberos^ Authentication Package: Kerberos^Workstation Name: ^ Logon GUID: {4fff3638-0ad5-b2d7-7358-2ae3dd4509b3}^Caller User Name: -^ Caller Domain: -^Caller Logon ID: -^ Caller Process ID: -^Transited Services: -^ Source Network Address: 10.3.37.101^Source Port: 0^ SEC,06/05/2010 10:31:26,Security,540,Success,Logon/Logoff ,UNISUPER\WS-02241$,MEPDOM02,Successful Network Logon:^User Name: WS-02241$^ Domain: UNISUPER^Logon ID: (0x0 0x2704BA25)^ Logon Type: 3^Logon Process: Kerberos^ Authentication Package: Kerberos^Workstation Name: ^ Logon GUID: {268894b4-e2a0-3b99-b2a8-c446da5c7eca}^Caller User Name: -^ Caller Domain: -^Caller Logon ID: -^ Caller Process ID: -^Transited Services: -^ Source Network Address: 10.3.0.160^Source Port: 0^

The REGEX I have added in frustration because of the error 'REGEX must be specified'--don't see why, it's not used. Now no data is being indexed at all, but I don't get the error message...

Yes this is windows security event log but for complicated reasons I can't use it directly--have to have this.

How do I do this? I can use a generic solution to this for other scenarios anyway. The documentation shows this to be straightforward--so why won't it go??