Hi Team, Need help in parsing AWS Managed Active Directory AD Team is writing logs to cloudwatch, and we have Splunk Addon for AWS which consumes these logs through Kinesis stream. I have props config to convert the logs to xmlwineventlog sourcetype after which data is parsed but not all the fields. I want the addon to parse using the source [xmlwineventlog:security] but that is not happening, Here is my props config [source://*securitylogs] Transforms-Index=override_st_props,override_source_props And transforms as below [override_st_props] REGEX=. FORMAT = sourcetype::xmlwineventlog DEST_KEY = MetaData:Sourcetype [override_source_props] REGEX = . FORMAT = source::xmlwineventlog:security DEST_KEY = MetaData:Source It is getting changed on sourcetype and source, but parsing is happening based on sourcetype as per windows addon and not on source Hope i made it clear, please help
... View more