I am importing logfiles into Splunk from a file. Each log entry starts with the string "** Alert" and ends with a double paragraph mark. The log entries are multi-line and of variable length, and a combination of various sources (windows alerts, firewall alerts etc).

When importing, I click 'A file or directory of files'; 'Consume any file on this Splunk server'; 'Upload and index a file'; then browse for the file and click save.

No matter what I try in props.conf, each log entry begins with the date (which is the SECOND line of the entry) and ends with the "** Alert" from the next extry. I am editing the [default] section. (I have copied props.conf from /etc/system/default into etc/system/local and this is the one I'm editing).

Can someone suggest a suitible setting in props.conf or is it that I have to do something to make Splunk use the default part of props.conf rather than making its own mind up about what sort of file it's importing?

TIA