It would help to know your current props.conf settings, but try these:
[mysourcetype]
SEDCMD = s/accountId:[\s\S]+\|==\|//
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)CEF:
TIME_PREFIX = end=
TIME_FORMAT = %s%3N
... View more
Thank you sir! I need to sit down and review all these solutions, but I will let you know how it goes. Thanks for making the Splunk community great!
... View more
I had the same problem.
I replied on the email from one of the splunk certification team ( one with the "Splunk: it Pays to be certified) and explained the problem. They fixed it within a few hours.
... View more