This is EXACTLY what I'm looking for! Splunk community to the rescue. Thanks Lowell!

I'd post them, but I would have to pull them from a lab environment - which I don't always have access to.

They are also to numerous and unique to give you guys anything meaningful by posting them.

I noticed that since the events are coming in CEF, all the field values that are pipe | delimited are extracted just fine, even if there is a space (such as |Delete Attibute| or |Microsoft Windows|).

Once the pipe delimitation ends, it seems to perform 'space delimitation' on the rest of the message - fields such as cs1, cs2,cs3, cs1label, msg, etc.

Yeah, post a sample. Depending on what comes after each field, there may be other field extraction options. Just click Edit under your question to post additional content.

Hey folks, thanks for the help so far.

On further inspection of the events, it appears that all fields in all events (ones I have coming in CEF format from a remote ArcSight connector, and being placed in a file via syslog on the splunk box) suffer from the same symptom.

Regardless of the log source or key field, if the variable has a space then the next words are ignored. Only the first word gets extracted.

I'm hoping there is a higher level than building regexes to process this, as that wouldn't be very scalable and it would be incredibly time consuming.

Also, if you have control over the log file format, you may want to enclose string fields with multiple words within double quotes.

It looks like you'll be forced to create a field extraction by yourself. This will likely require some regex skills. You should post some sample events so that others can help you.