Hello @mbjerkeland_spl  Indeed Azure/Microsoft suggests to make use of Virtual Network Flow Logs, as the NSG Flow Logs will soon be deprecated.  We have trouble in extracting fields from the Virtual Network Flow Logs. We tried with props.conf and transforms.conf but no chance to get the fields correctly (for example, only the first source IP is extracted, i.e., src_ip = 50.110.12.0) Is there any way to get the fields correctly? [mscs:vnet:flow] LINE_BREAKER = \}([\r\n]s*,[\r\n]s*){ SEDCMD-remove_header = s/\{\s*\"records\"\:s*\[\s*//g SEDCMD-remove_footer = s/\][\r\n]\s*\}.*//g SHOULD_LINEMERGE = false KV_MODE = json TIME_PREFIX = time\":\" REPORT-tuples = extract_tuple [extract_tuple] FIELDS = time,src_ip,dst_ip,src_port,dst_port,protocol,traffic_flow,traffic_result,traffic_encryption,packets_out,bytes_out,packets_in,bytes_in MV_ADD = 1 SOURCE_KEY = flowRecords.flows{}.flowGroups{}.flowTuples{} Example of log: {"time":"2025-05-28T13:58:52.3816960Z","flowLogGUID":"78er54d6-9e30-493e-84c535-0dae4835a3c3","macAddress":"6044FDGB513","category":"FlowLogFlowEvent","flowLogResourceID":"/SUBSCRIPTIONS/ABC-CDE-EFG-GHI-23XCCX/RESOURCEGROUPS/MYRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_MYREGION/FLOWLOGS/FLOWLOGNAME","targetResourceID":"/subscriptions/fdsfdsf-5534-42449-ddfds33-9718c766ed3f/resourceGroups/rggroup/providers/Microsoft.Network/virtualNetworks/vnet","flowLogVersion":4,"operationName":"FlowLogFlowEvent","flowRecords":{"flows":[{"aclID":"00000000-0000-0000-0000-000000000000","flowGroups":[{"rule":"PlatformRule","flowTuples":["1748440682030,50.110.12.0,10.0.0.1,23456,28701,6,I,B,NX,0,0,0,0"]}]},{"aclID":"fdf34-ff40-4bd1-9803-fdsfd54345","flowGroups":[{"rule":"DefaultRule_AllowInternetOutBound","flowTuples":["1748440669062,10.0.0.1,43.156.12.150,47212,443,6,O,C,NX,15,9521,11,7741","1748440672094,10.0.0.1,43.245.25.152,46512,443,6,O,E,NX,12,2377,10,8287"]}]}]}} ... View more