Thank you dwaddle for the above reply... This is exactly what I did just after posting the question... So I changed the regex to match the additional field which is logged on our apache... which is ^[[nspaces:clientip]]\s++
REGEX = ^[[nspaces:clientip]]\s++^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
so that fixed the problem with the default extraction... I agree with you on the recommendation to move all the custom fields to the last in key value format, ( that is standard norms) we should probably do this some time later. At this point it is easy for me to make the change at splunk side and extract these, rather than adjusting the web server which warrants additional paper work...
... View more