All,  I am currently working with Splunk Add-on for Microsoft Office 365.  The default regex in transforms.conf for extract_src_user_domain and extract_recipient_domain will only extract the last two parts of an email domain, resulting in domains like bank.co.in returning as co.in  Current [extract_src_user_domain] SOURCE_KEY = ExchangeMetaData.From REGEX = (?<SrcUserDomain>[a-zA-Z]*\.[a-zA-Z]*$) [extract_recipient_domain] SOURCE_KEY = ExchangeMetaData.To{} REGEX = (?<RecipientDomain>[a-zA-Z]*\.[a-zA-Z]*$) MV_ADD = true Suggest updating it to be inline with messagetrace rex [extract_messagetrace_src_user_domain] SOURCE_KEY = SenderAddress REGEX = @(?<src_user_domain>\S*) [extract_messagetrace_recipient_domain] SOURCE_KEY = RecipientAddress REGEX = @(?<recipient_domain>\S*) Thanks,  ... View more