How to do it...

Follow these steps to add a custom field extraction for a response:

1. Log in to your Splunk server.
2. In the top right-hand corner, click on the Settings menu and then click on the Fields link.

1. Click on the Field extractions link:
   
2. Click on New.
3. In the Destination app field, select the search app, and in the Name field, enter response. Set the Apply to dropdown to sourcetype and the named field to access_combined. Set the Type dropdown to Inline, and for the Extraction/Transform field, carefully enter the (?i)^(?:[^"]*"){8}s+(?P<response>.+) regex:
   
4. Click on Save.
5. On the Field extractions listing page, find the recently added extraction, and in the Sharing column, click on the Permissions link:
   

1. Update the Object should appear in setting to All apps. In the Permissions section, for the Read column, check Everyone, and in the Write column, check admin. Then, click on Save:
   
2. Navigate to the Splunk search screen and enter the following search over the Last 60 minutes time range:

index=main sourcetype=access_combined 

1. You should now see a field called response extracted on the left-hand side of the search screen under the Interesting Fields section.