I am new to using the Transfroms.conf and props.conf to manipulate data. The issue we are experiencing is in our WinEventLog data, we have a field that comes over as Creator Process Name Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe However most of the correlation searches are looking for process name, parent process name, etc. I have created a field alias to have the Creator Process Name also follow parent process name. I am trying to use Transforms and props in order to drop most of the file path for process name field, for example: Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Name: splunkd.exe Here is my current entry in Transfroms.conf [Creator_Process_Name_as_process_name] SOURCE_KEY = Creator_Process_Name REGEX = \t\w:.*[\\](?<process_name>.*)\n FORMAT = process_name::$1 and in Props.conf TRANSFORMS-Creator_Process_Name_as_process_name = Creator_Process_Name_AS_process_name Doesn't seem to be working like it should, I actually do get a process name populated but it is the whole flie path. Regex101 seems to show the Regex to be correct in just pulling the .exe
... View more