I'm trying to get Splunk to properly break multi-line events from Radiator radius server using BREAK_ONLY_BEFORE_DATE as each event starts with a timestamp. However, other values in lines, values that aren't timestamps, are being detected as timestamps and causing events to be split in the middle. For example, BREAK_ONLY_BEFORE_DATE set to true for this particular sourcetype, Splunk breaks here: (I've changed some digits but the length is the same)
Extreme-AP-Serial = "1000008375080206"
Here's what I want it to see as a timestamp:
Thu Jan 3 12:07:08 2013: DEBUG: Handling request with Handler 'Request-Type=Accounting-Request'
I looked through datetime.xml hoping to get rid of the offending regex and manually specify a new xml specifically for this sourcetype, but I'm not sure that that is the best way to go about this.
Awesome, now I just have to figure out which expression to use for the value of TIME_FORMAT. I put an example in the question if this happens to be second nature to you or someone else.