Hi, how i can turn the field client to be reconized on search?
2013-02-07 00:14:14.148056|INFO |VirtualServer | 1| client (id:1004) was added to servergroup 'Normal'(id:7) by client 'eG.Kiros'(id:2)
And the action added to.
So than i can create a table with the clients that mostly added other clients to witch servergorup and other things.
If I understand what you're looking for correctly, I believe the answer to your question is search time field extraction, which is documented here:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime