Event 11 Looking for OriginalFileName

[craigsmooth]

It looks like the props.conf is trying to transform OriginalFileName into file_name for all events. The issue I am seeing is with File Create events (event 11). Those events don't have a "OriginalFileName" field. They only have a "TargetFileName" field. So in the search looking for new file creates, the query uses "file_name" which is not found in event id 11. If I am not understanding this correctly, let me know. Just now starting to get familiar with the app. Thank you.

FYI, this seems to have fixed the issue for me. Not sure if this is the best solution: Replacing EVAL-file_name = coalesce(file_name,OriginalFileName) With EVAL-file_name = case(EventCode=="11",TargetFilename,EventCode!="11",coalesce(file_name,OriginalFileName))