Hi @richgalloway , My splunk instance is a standalone free splunk enetreprise deployment. I have created the virsec_app and placed all configurations inside local folder & also restarted the server. I tried the regex all are working, as i tried field extraction from splunk gui and all worked fine, so tried through backend using props.conf but seems it doesn't works. Please find below my whole configuration. inputs.conf [monitor://c:\\<location for the log>] index=virsec sourcetype=virsec_log props.conf [virsec_log] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD=15 TIME_FORMAT=%b %d %H:%M:%S TRANSFORMS-sourcetype=virsec_library,virsec_process [virsec:library] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD=15 TIME_FORMAT=%b %d %H:%M:%S EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Library Checksum EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat EXTRACT-LibraryName = Library Name=(?<LibraryName>.*) Start Time EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id EXTRACT-LibraryPath = Library Path=(?<LibraryPath>.*) Event Type EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path [virsec:process] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD=15 TIME_FORMAT=%b %d %H:%M:%S EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Canary No EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path transforms.conf [virsec_library] SOURCE_KEY = _raw REGEX = (LibraryMonitoring|LibraryInjection|LibraryHijack) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::virsec:library [virsec_process] SOURCE_KEY = _raw REGEX = (ProcessMonitoring|ProcessInjection) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::virsec:process indexes.conf [virsec] homePath = $SPLUNK_DB/virsec/db coldPath = $SPLUNK_DB/virsec/colddb thawedPath = $SPLUNK_DB/virsec/thaweddb maxDataSize = 10000 maxHotBuckets = 10
... View more