Figured it out with the help of this post: Using DELIMS to extract FIX data. I created a props to extract fields on search-time. This allows me to extract all the fields on my first line of data. props.conf [sourcetypeInfo] EXTRACT-syslogmsg = ^<(?<priority>[\d]+)>(?<timestamp>[a-zA-Z]{3}\s\s?[\d]{1,2}\sthis is a\s(?<message_type>[a-zA-Z]+)\sseverity:[\r\n\s]+(?<key_value_list>.*) REPORT-syslog_key_value_list = syslog_key_value_list Within my EXTRACT, I want to grab all the field I care about, as well as all the key-value pairs in it's own field. To separate my key-value pairs, I use a group name called key_value_list (located at the very end of my EXTRACT-syslogmsg) which I will use in my transforms. transforms.conf [syslog_key_value_list] SOURCE_KEY = key_value_list DELIMS = "\r\n", ":" This is how it all comes together. In my transforms, I use the SOURCE_KEY to inform Splunk what Key (aka field) will be used. At this point, we can simply use the DELIMS property.
... View more