Splunk auto line breaks based on time stamps. You should first give the preview tool a try and see if you can figure it out there, but here's an example of a tab delimited input I have:
Props.conf on indexer:
[SMTP]
REPORT-smtp = getsmtpfields
Transforms.conf on indexer:
[getsmtpfields]
DELIMS = "\t"
FIELDS = Type,Number,MSG_ID,Date,IP,MSG
Inputs.conf on universal forwarder:
[monitor://c:\Program Files (x86)\hMailServer\Logs]
disabled = 0
host = hostname
index = main
sourcetype = SMTP
crcSalt = <SOURCE>
whitelist = \.log$
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf
So yours might look like this:
Props.conf on indexer:
[custominput]
REPORT-custominput = custominputfields
Transforms.conf on indexer:
[custominputfields]
DELIMS = "\t"
FIELDS = RecID,TimeStamp,ClientIPAddress,ServerName,ServerIPAddress,ServerPort,Method,URIStem,URIQuery,Status,UserName,URLRoot
... View more