I’m new to Splunk as well. This seemed like it would be straightforward, but… I have a multiline extract from a data source. The fields are well defined but I can’t carve the fields and related data into columns within Splunk. Data example: Row 1: Request ID: 0x1 Requester Name: "DUDE\PKI-TEST$" Certificate Template: "SubCA" Serial Number: "6111e953000000000005" Certificate Effective Date: 12/21/2007 11:57 AM Certificate Expiration Date: 12/17/2009 8:58 PM Effective Revocation Date: EMPTY Revocation Reason: EMPTY User Principal Name: EMPTY Request Distinguished Name: "CN=Issuer2048, DC=Bob, DC=Billy, DC=com” ….. Row 6: Request ID: 0x6 Requester Name: "Agent\TrustedAgent" Certificate Template: "1.3.6.1.4.1.311.21.8.729503.12069660.16204964.16364598.2652628.198.1741112.16422776" Boeing Airline SSL Application Serial Number: "611a4dd3000000000006" Certificate Effective Date: 1/2/2008 5:12 PM Certificate Expiration Date: 1/1/2009 5:12 PM Effective Revocation Date: EMPTY Revocation Reason: EMPTY User Principal Name: EMPTY Request Distinguished Name: "CN=APPL1 SSL, OU=Work Dev, O=BillyBobCo, L=Bellevue, S=WA., C=US” For each line in the multiline event (from “Row” to “Row”) I need a column and related data. I have used BREAK_ONLY_BEFORE=Row and SHOULD_LINEMERGE=true to break the events up but I haven’t found a way to establish the rest of the event fields. Any help will be greatly appreciated! ... View more