diff --git a/config/processors/db_audit_citrix.admin.conf b/config/processors/db_audit_citrix.admin.conf
index 4c5a8d69..63d9d5ce 100644
--- a/config/processors/db_audit_citrix.admin.conf
+++ b/config/processors/db_audit_citrix.admin.conf
@@ -9,34 +9,33 @@ filter {
   mutate {
     remove_field => ["host"]
   }
-      # "[message][id]
-      # "[message][highleveloperationuid]"
-      # "[message][adminsid]
-      # "[message][adminaccountname]"
-	  
+  json{
+    source=>"message"
+    target=>"tmp"
+  }
   mutate {
     add_field => { 
       "[event][module]" => "citrix"
       "[event][dataset]" => "citrix.admin" 
     }
     copy => {
-      "[message][uid]" => "[event][id]"
-      "[message][text]" => "[error][message]"
-      "[message][adminmachineip]" => "[source][ip]"
-      "[message][adminid]" => "[user][id]"
-      "[message][source]" => "[event][kind]"
-      "[message][sourcesdk]" => "[user_agent][name]"
-      "[message][adminupn]" => "[user][email]"
+      "[tmp][uid]" => "[event][id]"
+      "[tmp][text]" => "[error][message]"
+      "[tmp][adminmachineip]" => "[source][ip]"
+      "[tmp][adminid]" => "[user][id]"
+      "[tmp][source]" => "[event][kind]"
+      "[tmp][sourcesdk]" => "[user_agent][name]"
+      "[tmp][adminupn]" => "[user][email]"
     }
   }
-  if [message][adminaccountname] =~ "^\w+\\.*?$" {
+  if [tmp][adminaccountname] =~ "^\w+\\.*?$" {
     grok {
       tag_on_failure => "_parsefailure_user_domain"
-      match => { "[message][adminaccountname]" => "^(?<[user][domain]>\w+)\\(?<[user][name]>.*?)$" }
+      match => { "[tmp][adminaccountname]" => "^(?<[user][domain]>\w+)\\(?<[user][name]>.*?)$" }
       timeout_millis => 500
     }
   }
-  if [message][IsSuccessful] {
+  if [tmp][IsSuccessful] {
     mutate {
       add_field => { 
         "[event][action]" => "success" 
@@ -53,27 +52,27 @@ filter {
 # Converting date strings to date
   # "nameupdateduetime": "2023-12-01t19:00:40.327z"
   date {
-    match => ["[message][nameupdateduetime]", "yyyy-MM-dd'T'HH:mm:sss'Z'","yyyy-MM-dd't'HH:mm:sss'z'", "ISO8601" ]
+    match => ["[tmp][nameupdateduetime]", "yyyy-MM-dd'T'HH:mm:sss'Z'","yyyy-MM-dd't'HH:mm:sss'z'", "ISO8601" ]
     timezone => "GMT"
     locale => "en"
     target => "[event][created]"
   }
   # "starttime": "2023-11-06t13:09:04.270z",
   date {
-    match => ["[message][starttime]", "yyyy-MM-dd'T'HH:mm:sss'Z'","yyyy-MM-dd't'HH:mm:sss'z'", "ISO8601" ]
+    match => ["[tmp][starttime]", "yyyy-MM-dd'T'HH:mm:sss'Z'","yyyy-MM-dd't'HH:mm:sss'z'", "ISO8601" ]
     timezone => "GMT"
     locale => "en"
     target => "[event][start]"
   }
   # "endtime": "2023-11-06t13:09:04.363z",
   date {
-    match => ["[message][endtime]", "yyyy-MM-dd'T'HH:mm:sss'Z'","yyyy-MM-dd't'HH:mm:sss'z'", "ISO8601" ]
+    match => ["[tmp][endtime]", "yyyy-MM-dd'T'HH:mm:sss'Z'","yyyy-MM-dd't'HH:mm:sss'z'", "ISO8601" ]
     timezone => "GMT"
     locale => "en"
     target => "[event][end]"
   }
-  ruby {
-    code => 'event.set("message", event.get("message").to_s)'
+  mutate{
+    remove_field=>["tmp"]
   }
 }
 output {