I am importing logfiles into Splunk from a file. Each log entry starts with the string "** Alert" and ends with a double paragraph mark. The log entries are multi-line and of variable length, and a combination of various sources (windows alerts, firewall alerts etc).
When importing, I click 'A file or directory of files'; 'Consume any file on this Splunk server'; 'Upload and index a file'; then browse for the file and click save.
No matter what I try in props.conf, each log entry begins with the date (which is the SECOND line of the entry) and ends with the "** Alert" from the next extry. I am editing the [default] section. (I have copied props.conf from /etc/system/default into etc/system/local and this is the one I'm editing).
Can someone suggest a suitible setting in props.conf or is it that I have to do something to make Splunk use the default part of props.conf rather than making its own mind up about what sort of file it's importing?
TIA
... View more