A good technique for this is to do go to Settings->Data Inputs->Add New (Files & Directories) on your indexer with a sample log file in the temp directory, say. Select Preview Data Before Indexing and then Browse for the file. Once you've got that, click Continue.
In the new screen called Data Preview, you get a pop-up asking for you to select a sourcetype from the list of known ones, or to create a new sourcetype. If you use an existing sourcetype, Splunk will use the props.conf stanza associated with that sourcetype on the indexer (if there is one), and pre-populate the settings in the Advanced Mode tab with them. Once you've done this (selected which option on sourcetype), you can see how Splunk is parsing the logs. Typically, if they are easy to parse then date and time (timestamp) in the logs will be highlighted in green. If not, you'll see a warning icon on the lines it can't figure out.
This is where this is a nice tool. You can go to the Advanced Mode (props.conf) tab and in the Additional Settings (override) block enter in your various props.conf settings you'd like to try, then Apply them. To this point, none of the things you have done affect the configuration of the indexer in any way, and you get to see the effects of the different things you try there.
... View more