Here is the custom event log format:
field1 field2 field3 FREE_TEXT
How would one query, say Top 10, FREE_TEXT ignoring first 3 fields which are space separated. FREE_TEXT can be any application level debug message which is not a fixed format.
Creating Fields is not an option. Neither is the code change to generate standard log format like Apache web log.
Just a single instance Splunk server(no clustering).
... View more