Can you give us the entire stanza from props.conf?

[nessus:scan]
EXTRACT-cve = \((?<cve>CVE[\w-]+)

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

Also - just picking up on this sentance:

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

Is that TA (App) shared globally on the searchhead?
In order for your extraction to be available in another app, you need to make sure that it is shared globally.

If you had a TA, which is not 'visible' in your apps list on the SH, unless global, you will never be in that apps context so your extractions wont be visible from say 'search and reporting' or any other app.

Ah ok, confusion with "source" vs "sourcetype"

If your props stanza is a source you must use
[source::/var/log/mylog]

if it's a sourcetype you just use the sourcetype name which in your case is nessus:scan, so
[nessus:scan]
is correct.

Out of interest, how are you collecting logs from nessus - are you using an app to collect data from Security Centre via the API? (if so which one)

Sorry - hit submit too early...

The reason I ask, is that i suspect the logs are being imported as json, which means that raw event may look different to what you see rendered as events in the UI

Could you try (?<cve>CVE[^)]+) as the regex instead?

Hi, thanks for such a quick response. No change unfortunately. I've added the :: mentioned here as well (which I've not seen used before).
Very strange, I've never had issues with this before. Maybe something it doesn't like in the regex?