I am struggling with a configuration to rewrite specific sections of a Windows Event log message and then send them along to splunk (I think json is probably the easiest for splunk to ingest). Many windows events contain extraneous text (e.g. "This event.....") that I would like to remove. I have been able to rewrite it using a regex "This event.*</Message>" and replacing that with "DEADBEEF</Message>" The problem is that I can only see this in a test file destination and not in one that uses format-json (I set this up from the syslog-ng WEF configuration guide) Has anyone done anything like this? I think my problem is that I don't understand how the message is changed from it's arrival through processing. My test can rewrite it within MSG or MESSAGE - but when I try to use the rewrite() in the log statement using the format-json destination, nothing seems to be changed. Tips? Thanks! Jim