props.conf [delinea:secretserver] category = Custom description = Secret Server Logs EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\| #REPORT-key_value_pair = key_value_pair KV_MODE = auto  

It looks like you just want to reformat the JSON output - I am not sure Splunk is the right tool for this. Have you considered using a scripting or text processing language, e.g. perl, awk, python, etc.?

This is some experimenting I have done following the youtube video above. There is some other work as i would like to get the gap between any date ranges to be used in an average calculation, once i have this timepicker issue sorted. <form> <label>SO-testing</label> <search> <query>|makeresults</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <progress> <eval token="toearliest">strptime("$job.earliestTime$","%Y-%m-%dT%H:%M:%S.%3N+%z")</eval> <eval token="tolatest">strptime("$job.latestTime$","%Y-%m-%dT%H:%M:%S.%3N+%Z")</eval> <eval token="tokgap"></eval>(($job.latestTime$-$job.earliestTime$)/86400) <set token="jobearliest">$job.earliestTime$</set> <set token="joblatest">$job.latestTime$</set> </progress> </search> <fieldset submitButton="false"> <input type="time" token="time"> <label>timepicker</label> <default> <earliest>-48h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> </row> <row> <panel> <table> <title>token values</title> <search> <query> | makeresults |eval timeTokenearliest="$time.earliest$" |eval timeTokenlatest="$time.latest$" |eval gap=timeTokenlatest-timeTokenearliest |eval jobearliest = "$jobearliest$" |eval joblatest = "$joblatest$" |eval toearliest ="$toearliest$" |eval tolatest ="$tolatest$" |eval gapday = tostring(gap,"duration") |eval gapday1 = gap/86400 |eval reltimeearl = relative_time(now(),"$time.earliest$") |eval reltimelate = relative_time(now(),"$time.latest$") |table _time reltimeearl reltimelate timeTokenearliest timeTokenlatest gap gapday gapday1 tokgap jobearliest joblatest toearliest tolatest </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  

Hi @richgalloway , Could you pls make changes as you requested. This is the regex used in the tranforms https://regex101.com/r/YhoZHW/1 My transforms looks like  [key_value_pair] REGEX = (\w+)=(.*?)(?=\s\w+=|$) FORMAT = $1::$2 props.conf [delinea:secretserver] category = Custom description = Secret Server Logs EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\| REPORT-key_value_pair = key_value_pair # Field renames FIELDALIAS-cs1 = cs1 as modified_role_name # FIELDALIAS-cs1label = cs1label as modified_role_name FIELDALIAS-cs2 = cs2 as user_or_group_name # FIELDALIAS-cs2label = cs2label as user_or_group_name FIELDALIAS-cs3 = cs3 as folder_name # FIELDALIAS-cs3label = cs3label as folder_name FIELDALIAS-cs4 = cs4 as source_user FIELDALIAS-fname = fname as target_item FIELDALIAS-rt = rt as event_time Thanks..

What is your question?  We need a lot more information before we can help.  What help do you need?  What is the dashboard expected to do?  Is the data already onboarded with fields extracted?  What have you tried so far and what have been the results?