Hi,
the issue is because the data has quotation marks in it.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/transformsconf
DELIMS =
* NOTE: This attribute is only valid for search-time field extractions.
* IMPORTANT: If a value may contain an embedded unescaped double quote
character, such as "foo"bar", use
REGEX, not DELIMS. An escaped double
quote (\") is ok.
This is one of the many reasons why W3C log format is so horrible. Perhaps a SEDCMD on the input to escape those quotes?
... View more