As @ITWhisperer said, illustrate structured data in raw format, not with Splunk's condensation. If you already have a top level key "tag", I suspect that you actually want the key-value pairs in that value ("service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890") extracted, not to extract that line again. Maybe the key "tag" is not top level. In that case, you will need to tell us what is the path leading to tag. In all cases, raw format will help volunteers diagnose. If "tag" is top level, you can use kv (aka extract) to extract fields like service, APPID, etc., like | rename _raw AS temp, tag AS _raw
| kv
| rename _raw AS tag, temp as _raw Your sample should give APPID application cluster container_id full_container_id full_imagename service 1234 z2 z2-qa1-local asdfgh503 1234567890 0123456789.dkr.10cal/10.20/xyz z2-qa1-local-z2-api-endpoint Is this something you are looking for?
... View more