No problem. If you want each line to be processed as an separate event, you can do this in props.conf
[source::<yourfilenamehere>]
SHOULD_LINEMERGE = false
But, if you want Splunk to start a new event each time it sees "host=", do this in props.conf
[source::<yourfilenamehere>]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = host\=
Finally, if you want to override the source, sourcetype and host of the incoming events, based on the fields in the data, you will need to add the following lines to props.conf
TRANSFORMS-t1=hostOverride
TRANSFORMS-t2=sourcetypeOverride
and create a transforms.conf that contains
[hostOverride]
DEST_KEY = MetaData:Host
REGEX = host\=(\S+)
FORMAT = host::$1
[sourcetypeOverride]
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype\=(\S+)
FORMAT = sourcetype::$1
Finally, add the following line to props.conf to tell it to use timestamp= as your timestamp. You have not indicated the format of your timestamp, so I will assume that it is a format that Splunk can process automatically - if not, you may also need to add a line to specify the TIMEFORMAT.
TIME_PREFIX = timestamp\=
... View more