Maybe i am over thinking this or maybe splunk can't do this, but i want all logs with "sender" being the same until it changes to be one event. I have the data below (and extra line breaks to show where i want the event data split).
Once the "sender" changes then there is no going back.. Said another way, the log lines are not interspersed.
Is this possible? A side question but of lesser importance is that the "date" of the log line is in the filename, is there a way to extract it from it? i.e. the above contents would be a in a file called 2012-04-09.log.
No you can not do this at index time. You would have to index each line separately, and then you could use the transaction command at search time to assemble the events, something like | transaction sender maxspan=2