I have a log set up as: timestamp, user account, query
Splunk is not identifying the second column as 'user account' mostly because there isn't anything to identify it as a user account (no column title)....is there anyway to make Splunk read this column so that it will show as an interesting field regardless of the value?
Log sample:
2013-05-13 15:00:00,000 C012345(user account #)
2013-05-13 15:00:00,000 C543210
... View more