Per the documentation, the following is what is allowed: Valid characters for field names are a-z, A-Z, 0-9, or _. Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables. International characters are not allowed. In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+") This creates a field "os_userid" which conforms to the standard. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Use_proper_field_name_syntax ... View more

Move the EXTRACT line up to the source stanza. Also, verify the source stanza is doing what you think it's doing. Search for sourcetype=oracle_aud_logs to make sure that stanza is working. ... View more