What I'm asking is still not being answered, I've seen it before, and I lost the config so I know it's doable. Unfortunately it was a PS engagement who customized it, but if any Splunk employees are listening out there this should be a default option. The extractor doesn't seem to create Apache message fields all that great.
For example, I want to create a new permanent field for everything after the timestamp, which should be a field called message.
[Mon Jul 02 19:37:33 2012] [error] [client 10.10.1.15] PHP Notice: Undefined index: profileImage in /var/www/html/index.php on line 265
Once this is done, I will be able to run a search such as "search here" | stats count by messageType, or something to that effect.
... View more