Please find 2 example records below from search function with sourcetype = "bcoat_proxysg" in csv format ( 3 lines only). The first line is the header field names. "url" is a custom field created from learning. The "_raw" contains everything in one field.
raw,_time,app,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_ymd,date_zone,eventtype,host,index,linecount,product,punct,source,sourcetype,splunk_server,timeendpos,timestartpos,url,username,vendor
"2014-10-03 09:18:21 639 10.19.49.51 404 TCP_NC_MISS 2850 1069 GET http answers.splunk.com 80 /browserconfig.xml - kkyeung GOVTLAB\Proxy1%20Users DEFAULT_PARENT proxy1.scig.gov.hk text/html;charset=UTF-8 - ""Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko"" OBSERVED ""Technology/Internet"" - 10.19.242.8",2014-10-03T09:18:21.000+0800,,9,3,18,october,21,friday,2014,3/10/2014,local,bcoat_proxysg,bc02.govtlab.hksarg,main,1,,"--::...____../.-\%.../;=--""/.(.",tcp:34002,bcoat_proxysg,LOGSRV,19,0,answers.splunk.com,kkyeung,
"2014-10-03 09:02:15 114425 10.19.49.51 200 TCP_TUNNELED 4255 2020 CONNECT tcp www.google.com 443 / - kkyeung GOVTLAB\Proxy1%20Users DEFAULT_PARENT proxy1.scig.gov.hk - - ""Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"" OBSERVED ""Search Engines/Portals"" - 10.19.242.8",2014-10-03T09:02:15.000+0800,,9,3,2,october,15,friday,2014,3/10/2014,local,bcoat_proxysg,bc02.govtlab.hksarg,main,1,,"--_::...______../-\%...--""/.(_.;;_",tcp:34002,bcoat_proxysg,LOGSRV,19,0,www.google.com,kkyeung,
... View more