Hi @uagraw01  Some interesting info at https://docs.splunk.com/Documentation/Splunk/latest/data/Specifyinputpathswithwildcards if you havent already seen it. On Windows, if you specify the [monitor://C:\Windows\foo\bar*.log] stanza in the inputs.conf file, Splunk Enterprise translates the path into this: [monitor://C:\Windows\foo\] whitelist = bar[^\\]*\.log$ In Windows, allow list and deny list rules don't support regular expressions that include backslashes. Use two backslashes (\\) to escape wildcards. This means [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\*.csv] becomes [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\] whitelist = [^\\]*\.csv$ Im wondering if this whitelist is being overwritten somehow, have you specified any whitelist? It might be worth trying the following input to see if this works, basically explicitly setting the whitelist to what its expecting. [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\] whitelist = [^\\]*\.csv$ Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will   ... View more

Hello Vishal, is the folder structure always the same? If yes, this should work: | rex field=source "Daily Reporting\\(?<business_unit>[^\\]+)" If not you could use this regex: \\\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\(?<business_unit>[^\\]+)   If you want to include this to props.conf and transforms.conf try something like this: props.conf [sourcetype] REPORT-my_fields = business_unit transforms.conf [business_unit] SOURCE_KEY = source REGEX = one of the above mentioned regex   If this helps please upvote my answer. Best regards, Vincent ... View more