Below are two line example of the data being indexed. 2020-01-17 15:40:53; 192.168.0.69; 192.168.0.69; Trap Service; abcde; MessageType:= SNMPv2-MIB:authenticationFailure; Message:= SNMP Trap Received Time:1/17/2020 3:40:53 PM Source:192.168.0.69(192.168.0.69) Community:abcde Variable Bindings sysUpTime:= 30 days 3 hours 56 minutes 30.81 seconds (260619081) snmpTrapOID:= SNMPv2-MIB:authenticationFailure (1.3.6.1.6.3.1.1.5.5) snmpTrapEnterprise:= LIEBERT-GP-REGISTRATION-MIB:liebertGlobalProducts (1.3.6.1.4.1.476.1.42); --ENDOFTRAP-- 2020-01-17 15:40:52; 192.168.1.6; 192.168.1.6; Trap Service; abcde; MessageType:= LIEBERT-GP-AGENT-MIB:lgpAgentHeartbeat; Message:= SNMP Trap Received Time:1/17/2020 3:40:52 PM Source:192.168.1.6(192.168.1.6) Community:abcde Variable Bindings sysUpTime:= 41 days 23 hours 8 minutes 4.90 seconds (362568490) lgpConditionsPresent:= 0 lgpAgentConnectedDeviceCount:= 1 snmpTrapOID:= LIEBERT-GP-AGENT-MIB:lgpAgentHeartbeat (1.3.6.1.4.1.476.1.42.2.3.0.7) sysUpTime:= 41 days 23 hours 8 minutes 4.90 seconds (362568490) experimental.1057.1.0:= 192.168.1.6 snmpTrapEnterprise:= LIEBERT-GP-REGISTRATION-MIB:lgpAgentNotifications (1.3.6.1.4.1.476.1.42.2.3); --ENDOFTRAP-- I would like to have all string with bold font above (before ":=") automatically discovered as fields. And all strings after := become its field's value. I did below on transform & props but still not working. any help is appreciated. transforms.conf : [trap_plaintransform] REGEX=\[(?!(?:headerName|headerValue))([^\s\=]+)\:\=([^\]]+)\] FORMAT=$1::$2 [trap_transform] REGEX= \[headerName\=(\w+)\],\s\[headerValue=([^\]]+)\] FORMAT= $1::$2 props.conf: [s_trap] DATETIME_CONFIG = MAX_TIMESTAMP_LOOKAHEAD = 32 MUST_BREAK_AFTER = \-\-ENDOFTRAP\-\- NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%d %H:%M:%S category = Miscellaneous disabled = false pulldown_type = true SHOULD_LINEMERGE = true TRANSFORMS-sw_trap_host = sw_trap_host BREAK_ONLY_BEFORE = KV_MODE = none REPORT-a= trap_transform, trap_plaintransform ... View more