Hi First You should test this with sample data on your local dev instance. This is the easiest way to integrate data source to splunk. On your local instance start with Settings -> Add Data -> Monitor/Upload Select source file from your local disk Configure the next parts Event Breaks (Regex ([\n\r]+)\s*<Interceptor>) Timestamp: Advanced Format: %Y-%m-%d</ActionDate>\n\s*<ActionTime>%H:%M%S (check with your actual data) Prefix: <ActionDate> Lookahead: enough long to match Format Advanced: If something is needed When you are happy what you see on your preview, then "Save As" a new sourcetype. Also you can copy those with link "Copy to clipboard". Then add that props.conf into the first full Splunk Enterprise instance on path from your source system to indexers. And remember restart that instance. I prefer to create own TA for those config and then distribute that TA where it is needed. r. Ismo
... View more