Having an issue where some of the Bro SMTP log entries are being combined in Splunk to form one event as opposed to properly breaking and generating multiple Splunk events. Logs are being forwarded from a Linux machine using the universal forwarder to a Windows based indexer.
Manually viewing the text log file shows each line as an individual entry. None of the events in the text log file are more then a single line.
I've only seen this occurring in the SMTP log and it does not happen 100% of the time.
No changes have been made to any of the default config file, other then adding my inputs.
... View more