Hi @PickleRick, Thank you for the clarification and yes you are correct I am addressing the same issue. Here's the updated response that reflects the correct sequence of events: 1. Component Placement The Universal Forwarder (UF) is responsible only for collecting and forwarding data and does not perform parsing or transformations. SEDCMD settings in props.conf must therefore be applied on the indexers, where parsing occurs. Since there are no Heavy Forwarders in the architecture, the indexers were the correct location for these configurations. 2. Stanza Naming and Testing I confirm that the XmlWinEventLog: Security stanza was the correct choice for this configuration. Each SEDCMD was tested separately in this stanza: The first SEDCMD partially worked, applying some transformations but not entirely meeting the expected output. The second SEDCMD, tested independently, caused Event ID 4627 to stop being indexed altogether. These results confirm that XmlWinEventLog: Security is the appropriate naming convention, as the configuration was correctly recognised and applied. Additionally, I tested other stanzas, including WinEventLog: Security, and none worked as intended, further validating that XmlWinEventLog: Security is the correct stanza to use 3. Configuration Location For quick validation during testing, the configurations were initially placed in system/local. For production deployment, they have been moved into dedicated apps, ensuring better organisation, ease of updates, and compliance with Splunk’s best practices. 4. Regex Validation Both SEDCMD regex directives were validated using | makeresults with the raw event data. The partial success of the first and the indexing failure of the second highlight that the regex logic itself or environmental factors need adjustment for consistent application in production I hope this clears up any concerns and confirms the steps taken during testing and deployment. Let me know if there’s anything else you’d like me to elaborate to be able to resolve the issue Best regards, Dan
... View more