Currently the app I'm working on generates log events in the following (simplified/obfuscated) format before they are ingested into Splunk: 2021-09-24 19:00:00.016 +00:00 [Warning] Something.SomethingElse.YetAnotherThing: jsonData={ "alice": "Alison", "bob": "Bobby", "group" : {"joe": "Joseph", "jane": "Janet"}} The only bits of those log events which are important are the timestamp at the leftmost end, and the well-formed json data after the equal sign.  What I wish was possible is to change the event being created by the application to be only a well-formed JSON object that included the timestamp.  In other words something like this.... {"_time":"2021-09-24 19:00:00.016 +00:00", "alice": "Alison", "bob": "Bobby", "thing" : {"joe": "Joseph", "jane": "Janet"}} But that is it's own challenge (outside of Splunk) which will take me time to make happen.  In the meantime I wonder if there is something I could setup in Splunk so that, at ingestion time, the original log event was transformed into that latter format.  This would save me from having to do rex & rename commands like this as part of each an every splunk query I want to run.  Which is not only annoying, but I'm guessing slows down the queries as well. host="something" | rex "jsonData=(?<jsonData>.+})" | rename jsonData as _raw | spath | search event="*Exception*"  Is this possible?  Furthermore is this possible given that the events are ingested from Azure via the plugin: Splunk Add-on for Microsoft Cloud Services? ... View more