Just thought I would add the way I did this which can be found in my question here: http://answers.splunk.com/answers/112243/delimited-field-extractions-for-cognos-data
sometime you can just see the data is separated by tabs and can name the columns rather than using regex!
Build a transforms as follows:
[cognos-fields]
DELIMS="t"
FIELDS="Host ID","Process ID","Time","Time Zone","Session ID","Request ID","SubRequest ID","Step ID","Thread","Component ID","Build Number","Level","Logger","Operation","Object Type","Object Path","Status","Message","Log Data"
much easier I find 🙂
... View more