@teddgYeah the Splunk admins set that up. I gave them a sample audit log xml file and asked them to help parse all of the fields. I don't have their splunk props file so not sure exactly what they did. I do remember we had issues when tailing the live audit file, so we ended up blacklisting the audit file that is currently being written and waiting until the log file is rotated to ingest it.
This is the inputs.conf file we use on the AV server if that helps: