In our case it's important to use the whole path for <splunkfowrarderfile>.msi. Without exact path (e.g. ./ or c:\temp\...) it couldn't find it and installation failed. ... View more

Try adding this to your props.conf: SHOULD_LINEMERGE = 1 BREAK_ONLY_BEFORE = /d+/:/d+/:/d+/./d+/s/d/sSIP/s+/[/w/./w/./w/./w/]/:/d+ The regular expression matches: 00:00:00.423 5 SIP [a.b.c.d]:5060 /d+ means 1 or more digits, /: means the character ":" is literal, /w+ means 1 or more alphabetical characters and finally, I have used a.b.c.d literally as four alphabetical chars with periods between them, if it needs to be changed to an IP address, replace "/w+" by "/d+".   This config will allow each SIP call as 1 event with multiple lines. NOTE: Setting SHOULD_LINEMERGE = 1 does come with a slightly greater load on Splunk, so please test the load before applying to PROD. ... View more