So we are using the aws add on to retrieve elb logs from a s3 bucket. The logs are simply 1 event per a line. But splunk is having trouble indexing them. So the events look something like this:
Svl
ES256-SHA TLSv1
--- "-"
18 HTTP/1.1" "WidgetSystem/6.1.3" AES256-SHA TLSv1
I tried to create a sourcetype to just take things as one line, but when I change sourcetype = aws:s3 to whatever I call my sourcetypes, all the logs just stop working until I change it back. Is there a way to modify the aws:s3 sourcetype to take items as one event per log. Or at least create a new sourcetype I can modify that will keep s3 logs flowing.
↧