Well hard to give you specific instructions - like I said to me it seems you haven't grasped the basic concepts yet. Splunk extracts fields mainly at search-time. This can be done in all kinds of ways more or less regardless of how the input data is formatted. You don't need to put your data in any special format, as long as it's possible to formulate rules on how Splunk should make sense of it.

dear ayn
this is for the first time , m using splunk.. and try to understand this. and facing some problem what is written in the tutorials when m implementing it.. thatswhy m asking for help..
:)
thanks

What MHibbin and kristian.kolb said - you should probably start with the Splunk tutorial so you understand the basics of how Splunk works. After you've understood that, you can continue on to solving your problem.

1 » 6/22/13
9:33:49.000 AM

2013 Jun 22 09:33:49 tracker1 httpproxy_access[41545]: 172.18.11.208 514 TCP_MISS/200 721POSThttp://www.facebook.com/ajax/like/tooltip.php? - DIRECT/31.13.72.17 application/x-javascript [acl=8] [cat=-] [err=-]host=Monotosh-PC Options| sourcetype=firsttime Options| source=firsttime.log Option

and the question is how many different user to access facebook? and who has access most?

You should start with the documentation, very useful...

http://docs.splunk.com/Documentation/Splunk

Specifically, look at field extractions...

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

You can format your results in a table from there if you feel it will make the results easier to understand, or you can leave them raw and use your field extractions for searching/filtering. It's really up to you and your business (assuming that's the driver) requirements.

You'll need to extract the text in the log file into fields.
This can be done in several ways, sometimes automatically. If you post a few sample events from your log, you will get better help here. Also please describe the kind of output you want.

And don't forget to read the documentation.

http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial

Nope, you can search using where clause and then make a table for a better view of result.

You can also place your keyword in while mentioning the search , which will give you the result where the words are found in the result.

e.g.
index= N sourcetype=S "Keyword"|Table Fields..

OR

index= N sourcetype=S | where field like "%%Keyword%%"|Table Fields..

hi ayn
i am asking that for searching, is it necessary to make a table format of the log file? as the attributes like (ip, url...) are required for searching.

abhi

I think you need to state your question more clearly. What do you want to do, what problems are you currently running into?