Hi Dan In props.conf on your heavy forwarder (or indexer) tier do something like this... [WinEventLog]
SEDCMD-filter-winevent = s:(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*):\2\4:g As before, by using colon as the sed command separator you do not need to backslash escape the forward slash delimiters that exists in the event data. This is very important, otherwise the sed syntax will be invalid. Also note, give the SEDCMD a label, which can be whatever you like. Finally, double check the sourcetype of the incoming event, as usually XML events have the XmlWinEventLog sourcetype. You should be able to test the SEDCMD above via Add Data, in case it needs some more tweaking. Hope that helps
... View more