Thank you for the tips. I got rid of the ^ in LINE_BREAKER and TIME_PREFIX and set SHOULD_LINEMERGE=false. That almost worked, and I will say it cleaned up how the double events were displaying but I was still getting two events with one that had Date and Path, and one that had everything after Certificate up until the next occurrence of Date. Looking at the Splunk docs for props.conf in a little more detail, I ended up setting SHOULD_LINEMERGE=true. This ended up working. Splunk docs say "When you set this to 'true', Splunk software combines several lines of data into a single multi-line event." Since I was having issues with the intended singular event being split into two and it is a multi-line event, I went with this setting. I restarted Splunk, re-ran my bash script, and re-ran my search and now the events are being broken up properly at each occurrence of "Date:" within the log. My final props.conf for reference. Thank you! DATETIME_CONFIG = LINE_BREAKER = ([\n\r]+)Date:\s\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3} NO_BINARY_CHECK = true SHOULD_LINEMERGE = true category = Custom description = Format custom logfile with decoded PEM certificate information for Splunk servers. pulldown_type = 1 disabled = false MAX_TIMESTAMP_LOOKAHEAD = 23 TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TIME_PREFIX = Date:\s TZ = GMT
... View more