If the illustrated file is raw data, at index time, you should try to get Timestamp_field extracted, then extract the rest at search time. There are a number of ways to achieve that; needless to say, this is a terrible format to put real data. At search time, this can be used to separate meta data from real data and extract: | eval data = split(_raw, "
")
| eval _raw = mvjoin(mvindex(data, 0,1), "
")
| eval data = mvjoin(mvindex(data, 2, -1), "
")
| multikv
| rename data AS _raw
| multikv forceheader=1
| fields - _raw linecount The illustrated sample file will give DataField1 DataField2 DataField3 DataField4 Field1 Field2 Field4 Field5 Field7 Number_of_records Timestamp_field ssss yyyy pppp ffff xx yy zz aa bb 2 2015-09-12 14:55:00.666 ababa dfdfdf ghghg hhhhh xx yy zz aa bb 2 2015-09-12 14:55:00.666
... View more