I have the following data as a sample:

SHAREPOINT01","\Microsoft\Windows\Tcpip\IpAddressConflict2","N/A","Ready","Interactive/Background","N/A","1","Microsoft Corporation","%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem","N/A","This event is triggered when an IP address conflict is detected.","Enabled","Disabled","Stop On Battery Mode, No Start On Batteries","Users","Enabled","72:00:00","Scheduling data is not available in this format.","When an event occurs","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\TextServicesFramework\MsCtfMonitor","N/A","Running","Interactive/Background","6/26/2014 2:33:12 PM","267009","N/A","COM handler","N/A","TextServicesFramework monitor task","Enabled","Disabled","","Users","Enabled","Disabled","Scheduling data is not available in this format.","At logon time","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\Time Synchronization\SynchronizeTime","6/29/2014 1:00:00 AM","Ready","Interactive/Background","6/22/2014 1:00:00 AM","1058","Microsoft Corporation","%windir%\system32\sc.exe start w32time task_started","N/A","Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.","Enabled","Disabled","Stop On Battery Mode","LOCAL SERVICE","Enabled","72:00:00","Scheduling data is not available in this format.","Weekly","1:00:00 AM","1/1/2005","N/A","SUN","Every 1 week(s)","Disabled","Disabled","Disabled","Disabled"
"SHAREPOINT01","\Microsoft\Windows\UPnP\UPnPHostConfig","N/A","Ready","Interactive/Background","N/A","1","Microsoft","sc.exe config upnphost start= auto","N/A","Set UPnPHost service to Auto-Start","Enabled","Disabled","Stop On Battery Mode, No Start On Batteries","SYSTEM","Enabled","72:00:00","Scheduling data is not available in this format.","On demand only","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\User Profile Service\HiveUploadTask","Disabled","","Interactive/Background","N/A","1","Microsoft Corporation","COM handler","N/A","This task will automatically upload a roaming user profile's registry hive to its network location.","Disabled","Only Start If Idle for 10 minutes, If Not Idle Retry For 120 minutes","Stop On Battery Mode","SYSTEM","Disabled","72:00:00","Scheduling data is not available in this format.","One Time Only, Hourly ","12:00:00 AM","8/28/2007","N/A","N/A","N/A","12 Hour(s), 0 Minute(s)","None","Disabled","Disabled"
"SHAREPOINT01","\Microsoft\Windows\WDI\ResolutionHost","N/A","Ready","Interactive/Background","N/A","1","Microsoft Corporation","COM handler","N/A","The Windows Diagnostic Infrastructure Resolution host enables interactive resolutions for system problems detected by the Diagnostic Policy Service. It is triggered when necessary by the Diagnostic Policy Service in the appropriate user session. If the ","Enabled","Disabled","","INTERACTIVE","Enabled","Disabled","Scheduling data is not available in this format.","On demand only","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\Windows Error Reporting\QueueReporting","N/A","Ready","Interactive/Background","6/13/2014 4:22:05 PM","0","Microsoft Corporation","%windir%\system32\wermgr.exe -queuereporting","N/A","Windows Error Reporting task to process queued reports.","Enabled","Disabled","","Users","Enabled","72:00:00","Scheduling data is not available in this format.","At logon time","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange","N/A","Ready","Interactive/Background","N/A","1","Microsoft Corporation","%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange","N/A","This task adjusts the start type for firewall-triggered services when the start type of the Base Filtering Engine (BFE) is disabled.","Enabled","Disabled","","SYSTEM","Enabled","72:00:00","Scheduling data is not available in this format.","When an event occurs","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\WindowsColorSystem\Calibration Loader","Disabled","","Interactive/Background","7/14/2009 12:06:48 AM","0","Microsoft Corporation","COM handler","N/A","This task applies color calibration settings.","Disabled","Disabled","","Users","Disabled","Disabled","Scheduling data is not available in this format.","At logon time","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"SHAREPOINT01","\Microsoft\Windows\WindowsColorSystem\Calibration Loader","Disabled","","Interactive/Background","7/14/2009 12:06:48 AM","0","Microsoft Corporation","COM handler","N/A","This task apponths","Repeat: Every","Repeat: Until: Time","Repeat: Until: Duration","Repeat: Stop If Still Running"

Using a props.conf and transform to filter data.

Props.conf section:

# Used to format the time stamp of schedule task data collected Win Servers, filter events as well
[schtaskswin]
DATETIME_CONFIG=CURRENT
TRANSFORMS-null=dumpschtaskheader, dumpschtaskdata

Transform.conf Section:

# dump scheduled task data as needed
[dumpschtaskdata]
REGEX=Microsoft
DEST_KEY=queue
FORMAT=nullQueue

# Scheduled Task Header
[dumpschtaskheader]
REGEX=\"HostName\"\,|schtasks\s/query\s
DEST_KEY=queue
FORMAT=nullQueue

So the above works right now and I toss out any Microsoft tasks and also my headers, etc. What I want is be more specific and toss them out only if "\Microsoft\ so if someone uses the word Microsoft it will still show up as a splunk entry.

I tried the regex as \"\Microsoft\ and also one as \Microsoft\ but they did not work. What am I doing wrong? BTW - when I was testing the other regex expressions I had the sections in the transform flipped around, not sure it would really matter, but was frustrated trying to make it work and was trying various things and flipped them at the same time I just used just Microsoft as the regex to see if it would even do anything and now it is. So I know now the transform is processing at least and it seems to be in the other regex expressions. Before messing more with it I thought I would seek help. Thanks.