Hi Guys, I am new in creating reports in splunk. I have data log set where one of the field is message and i need your assistance spiting it into different fields. Below is an example of the logs {"message": "2019-04-05\t12:51:24\t89.885.664.006\tPOST\t/is.efg.loud/i/api/v1/meetings/131/status/confirm\t200\t1148\t1\t\"https://so.efg.com/i/dl/\"\t\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.3683.86 Safari/537.36\"\t\"auth-user={\"\"sub\"\":\"\"auth0|599\"\",\"\"nickname\"\":\"\"mi_te\"\",\"\"name\"\":\"\"e_svie\"\",\"\"iss\"\":\"\"https://tenant1.efg.com/\"\",\"\"iat\"\":155,\"\"exp\"\":1554,\"\"email_verified\"\":true,\"\"email\"\":\"\"xyz@abc.com\"\",\"\"aud\"\":\"\"xApat6P\"\",\"\"amr\"\":[\"\"mfa\"\"],\"\"acr\"\":\"\"http://schemas.openid.net/pape/policies/2007/06/multi-factor\"\"}; auth-token=eyJoV...\"\n"} The fields are separated by "\t" I need to get the values to below fields: date time cs-ip cs-method cs-uri sc-status sc-bytes time-taken cs(Referer) cs(User-Agent) cs(Cookie) I tried to run the query: My index|| rex field=message "(?)\t(?)\t(?)\t(?)\t(?)\t(?)\t(?)\t(?)\t(?)\t(?)\t(?)"|table date,time,cs-ip,cs-method,cs-uri,sc-status,sc-bytes,time-taken,cs-Referer,cs-User-Agent,cs-Cookie but didn't work. ... View more