Problem statement : Finding user who deleted mails from common mailbox such as info@example.com used by a team of people. We have Windows mailbox audit logs to Investigate. From the above image you can notice that the each event starts with the field"RunspaceId" You need to tell splunk the start of the event line and end of event line and also the timestamp. Regex for identification of timestamp field : LastAccessed\s+\D\s Identifying start of event Pattern: Runspace Once the data is ingested we need to parse interesting fields. ^FolderPathName\s+\D\s+(?P<path>.??)$ here ?? is the non-greedy qualifier. If you use +? instead of ?? there will be inconsistencies in the result if the field is empty it will pick up the next field value. I am using +? for other fields because these fields cant be empty. Similarly you can parse other fields ^Operation\s+\D\s+(?P<Action>.+?)$ ^FolderPa...