Just as a word of warning. Multi-line searches can cause some problems in some of splunk's internal logs. This is mostly due to props settings for the log files. Normally this shows up as time-stamping errors in the splunkd.log source.
For example, the auditrail, splunkd, and searches (I think) sourcetypes are not setup for multi-line events. And in some places the multi-line searches get logged across lines which causes the timestamping issue. Other times, the searches get wrapped as a single line, and this isn't a problem. (I tracked this down once, I think. But can't remember what the common factor was as to when this seems to happen.)
In my own config, I've added SHOULD_LINEMERGE = True to these sourcetypes to make this problem go away. (I realize this probably isn't as efficient, but it seemed like the best workaround)
... View more