Hi there,

I've configured custom application logs to go to Splunk with .ps1 script.

The problem is - some logs are missing... After some troubleshoot I found there is something in the message property that makes it fail, as if I exclude message all events are processed (yet useless).

My guess is - there is something considered as exit character in the message that fails to be ingested. 

Have nothing set in props.conf

Sample message that gets processed:

Feature audited:                   Scheduled Task

Type of Change:                   Edit Scheduled Task

Changed by:                          DOMAIN\svc_landesk

Date of change:                    11/19/2020 13:56:17

Changed on machine:         SERVERVLANDE01

Item name:                            Run After Image - 11/19/2020 1:54:40 PM

Old value:                             

Feature Specific Data:

Data too big.  See equivalent event in the database.

Sample message that fails and doesnt show up in splunk:

Feature audited:                   Scheduled Task

Type of Change:                   Start Scheduled Task

Changed by:                          DOMAIN\svc_landesk

Date of change:                    11/19/2020 13:56:17

Changed on machine:         SERVERVLANDE01

Item name:                           

Old value:                             

Feature Specific Data:

<ExportableChange xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" />