This is probably this:
http://answers.splunk.com/questions/603/juniper-netscreen-tcp-syslog-messages-not-breaking-properly
I would define a new sourcetype (don't use syslog )and set a line breaker. The one in the above question is fine, but I would probably just change it to:
LINE_BREAKER = (\x00+)
SHOULD_LINEMERGE = false
The other problem you will have is that you do not have the timestamp and hostname extracted. You probably should also set:
TIME_PREFIX = start_time=\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
It will probably work just fine without setting that, but it will be better if you do. You will probably also have to create a transform to get the host name and set it in Splunk (especially if you are going to have more than one device send to Splunk).
... View more