I'm new to Splunk and having some issues with getting logs to create events correctly. I've installed the universal forwarder, and set to a directory of plain text logs for a specific application. The logs are created 1 per day, and each line should be an event. I configured the universal forward to get local data from the logs directory (in which there are multiple sub directories with log files in them).
When it reaches the receiver, Splunk creates events based on the log files and not the line items in the logs. I was able to connect the Splunk server to the computer and import the files, and can see in the data preview.
However, I'm haven't figured out how to set this up on a receiver. I don't want the client computer to do the processing, and would rather have the Splunk server split the events up correctly at time of indexing.
Is there an app I need to install to configure a receiver? Should I have multiple receivers for different source types? Or do I modify the config file to look for the source and run an event filter based on the source?