Hello, I have set up two servers forwarding php error logs to Splunk. The souretype is set to log4php but the field auto extraction is not working. These are what Splunk gives me: # date_hour 2 # date_mday 1 # date_minute 2 a date_month 1 # date_second 3 a date_wday 1 # date_year 1 a date_zone 2 a index 1 # linecount 2 a punct 3 a splunk_server 1 # timeendpos 2 # timestartpos 2 Both servers have a slightly different log format: Server 1 [13-Aug-2015 10:16:40 UTC] PHP Notice: Use of undefined constant gdfgdg - assumed 'gdfgdg' in /srv/users/serverpilot/apps/gibhershop2/public/test.php on line 6 Server 2 [Thu Aug 13 11:36:09.160891 2015] [:error] [pid 1823] [client 141.101.98.217:23987] PHP Parse error: syntax error, unexpected '!' in /var/www/gsysmp/err.php on line 3 Edit The fields I want are: Server 1 PHP error type, in the example that's PHP Notice, but could be PHP Error: etc. The actual error message, in the example Use of undefined constant gdfgdg - assumed 'gdfgdg' - so that's from the ':' of the error type up to 'in /path....' The error location, so the path and line number: /srv/users/serverpilot/apps/gibhershop2/public/test.php on line 6 Server 2 PHP error type: [:error], again this might have other values such as warning or notice. Error message: PHP Parse error: syntax error, unexpected '!' Error location: /var/www/gsysmp/err.php on line 3 Am I doing something wrong? Does anyone have some good searches set up for dealing with this type of log if Splunk doesn't auto extract the fields well? Thanks Ric ... View more