Hopefully one of you can help me figure this out. All of my udp traffic is coming in through one source (network driver), some of it is firewall data but I have to filter it out based on where it is coming from and other fields in the log data. I want to use the csv_parser here since it would make it easier for me to get the data I need from the firewall data. Does this require splitting my one source into two sources, since I would need to use flags('no-parse') on a firewall data source? I also think this means that I can't use a single log path to process both sources? Also, how to prevent potential duplication since the non-firewall source will still receive the firewall traffic and try to process it with syslog-parser. I think the flow is something like this: firewall source -> custom parser -> filters ->rewrites / \ all_data -> \ -> destination \ / all udp source -> filters -> rewrites / I understand this is a bit complex to answer simply, I'm mostly looking for answers to the above questions as well as high level guidance for how to proceed. Thanks, -Mark