Because the fields are well defined and have a field delimiter of \n and a key value pair delimiter of : extracting fields is, in fact, very straight forward. However what you have so far is only referencing the line breaking. Try this: props.conf [request] KV_MODE = none SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = Row REPORT-extractions = field_extractions transforms.conf [[field_extractions] DELIMS = "\n" , ":" This will break out your fields. If you want Splunk to break out the key value pairs separated by an "=" in the Request Distinguished Name: field, then change KV_MODE = auto (this is the default) ... View more