Hi I think that your issue is this "|first_seen=". Splunk use this as a regex and | has special purpose on those. You could try this [<Your sourcetype name here>] SHOULD_LINEMERGE=false LINE_BREAKER=([\n\r]+)\| first_seen= TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z TIME_PREFIX=\| first_seen= MAX_TIMESTAMP_LOOKAHEAD=30 This works at least 10.2.0 beta. r. Ismo  ... View more

If the data is already ingested into Splunk's "pipeline" - no. You could use python to create a modular input but that would work on an earlier step - betore the data is injected into input queue. ... View more

OK. Scratch that. It's some quirkness of the UI. Regardless of whichever version of the TOKENIZER I use if I do a search  <my_base_search> | eval mvcount=mvcount(Volume_name_s_) | table Volume_name_s_ mvcount I get (whenever applicable) a proper multivalued field in my table and a count of a dozen or so values. But. The UI displays the values differently depending on which form I use. If I use the  TOKENIZER = (\w+-\d+_\d+_\d+) version, when I expand the event contents to see extracted values I see each value on separate line If I use the  TOKENIZER = ([^|]+) form, all values are crammed into a single line (but they no longer have pipes between them, just spaces). Strange. ... View more