I have a custom log format that is Apache's access_combined format with a custom field representing an app's version number at the end. The fields are space separated. How can I configure Splunk to do automatic search-time field extraction of the standard access_combined set of fields and this extra field?
Assign the source type of access_combined and in props.conf, add a field for the version number. (An example of the field extraction is below.) This should work even if you have other logs that are the "standard" access_combined format, since the field won't be extracted where it doesn't exist.
Find the definition of access_combined in the default props.conf and copy it to your own props.conf, giving the stanza a different name. Then add the app version field.
Here is the field extraction for the the new field, which I call app_version (because the Apache logs already have a field named version which is the Apache version).
EXTRACT-e1 = \s(?<app_version>\S+)\s*$
This field will contain the last non-blank character string on the line.