Since I am a run of the mill Ops guy I saw that and said no no no give me back something I am used too and is more human readable. So I changed it back without really looking at it. If it does a better job of dealing with field extraction or at least a cleaner way of doing it I may have to turn it back on and play with what you suggested. If anything so I know what it is capable of doing going forward for future situations like this.

In my case, the USB drive was encrypted with BitLocker. I had to remove BitLocker from the drive before it worked. In Windows, just search for BitLocker from the start menu, and see if BitLocker-To-Go is enabled for your drive. Disabling it, then trying Rufus again to write Ubuntu to the drive worked.

In your inputs, where you specify the WinEventLog stanza for your printerlogs, if you set renderXML=1 the forwarder will collect these logs as XML. You can then configure XML KV extractions in your props file, and it will do all the extractions for you, or you can use spath to extract the fields in your search.

Thanks I agree, that was going to be my backup plan if I could not get splunk to pull it out through it's regex wizard. Just wanted to avoid having to relearn it then forget it again five minutes later at all costs. Usually takes me about an hour and a few dents in my desk and head to rewrap my head around it then once the task is complete poof it's gone again haha.