Here's the problem guys: Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory): [force_sourcetype_for_cisco_asa] DEST_KEY = MetaData:Sourcetype #REGEX = %ASA-\d+-\d+ REGEX = %ASA--\d+-\d+ FORMAT = sourcetype::cisco_asa Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately. Richard ... View more