diff --git a/salt/logstash/files/custom/parsers/7100_osquery_wel.conf b/salt/logstash/files/custom/parsers/7100_osquery_wel.conf
new file mode 100644
index 000000000..3dea60269
--- /dev/null
+++ b/salt/logstash/files/custom/parsers/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column, then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+	mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+	json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+ 	mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+  	}
+
+  }
+}