Hi, I trying to index ids logs into splunk server however the log is not in good format. How can i reformat the log into json so it will have table for timestamp, event type, src ip, and the rest. I have try to edit props.conf but still the same. Anything should I do get this work. Thanks. [suricata] KV_MODE = json NO_BINARY_CHECK = 1 TRUNCATE = 0 Here my log in splunk server Aug 3 23:59:45 192.168.1.200 Aug 3 23:59:43 IDS suricata: {"timestamp":"2014-08-03T23:59:43.946222","event_type":"alert","src_ip":"192.168.20.1","src_port":6000,"dest_ip":"8.8.8.8","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001219,"rev":18,"signature":"ET SCAN Potential SSH Scan","category":"Attempted Information Leak","severity":2}} ... View more