On splunkA I am monitoring an xml log file. It is forwarded to SplunkB in a separate index. Where should I define the multiline event breaking and the field extraction? On sender(splunkA) or receiver(splunkB)?
Please see: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F to learn how to determine where a configuration needs to reside.
View solution in original post
