Hi @SplunkDash I can see a few things... 1. This is a search time extraction so need to be specified it on the search head (maybe you have) - this can be done via the SH UI too 2. You've specified the REGEX like an inline field extraction (see props.conf.EXTRACT) so you would not have to use transforms configuration for this (though I believe it does work in transforms). 3. The regex is not quite right Try this instead (inline or transforms) {"UserID":"(?P<UserID>\w+)","UserType":"(?P<UserType>\w+)","System":"(?P<System>\w+)","UAT":"(?P<UAT>.+?)","EventType":"(?P<EventType>.+?)","EventID":"(?P<EventID>.+?)","Subject":"(?P<Subject>.+?)\","EventStatus":"(?P<EventStatus>.+?)","TimeStamp":"(?P<TimeStamp>.+?)","Device":"(?P<Device>.+?)","Msg":"(?P<Message>.+?)"} Having said that, the example events are a good example of using the power of transforms to match reoccurring patterns and extract them as key value pairs. In that case the transforms.conf settings would be something like this. [fieldEtraction]
REGEX = "([^"]+?)":"([^"]+?)"
FORMAT = $1::$2 The REGEX specifies two capture groups and the FORMAT extracts each group as field = value, repeatedly (up to 10000 times, by default). Some doc links as reference https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Transformsconf#transforms.conf.example https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Propsconf#Field_extraction_configuration Hope that helps
... View more