Fix for Splunk TA Bro to index gzipped data and have the sourcetype match current log disable input once historical data onboarding is completed. required on UF, HF, IDX, SH Inputs.conf [monitor:///usr/local/bro/logs/*/*.log.gz] sourcetype = brogz index = bro Props.conf [brogz] SHOULD_LINEMERGE = false TRUNCATE = 0 MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s.%6N TRANSFORMS-BroAutoTypegz = BroAutoTypegz, TrashComments INDEXED_EXTRACTIONS = TSV FIELD_HEADER_REGEX = ^#fields\t(.*) FIELD_DELIMITER = \t FIELD_QUOTE = \t Transforms.conf [BroAutoTypegz] DEST_KEY = MetaData:Sourcetype SOURCE_KEY = MetaData:Source (?:\/opt\/bro\/logs\/\d{4}-\d{2}-\d{2}\/)([^.]+)(?:\.\d{2}\:\d{2}\:\d{2}\-\d{2}\:\d{2}\:\d{2}.log.gz) \/([^.]+) REGEX = ([^.]+)(?:\.\d{2}\:\d{2}\:\d{2}\-\d{2}\:\d{2}\:\d{2}.log.gz) FORMAT = sourcetype::bro_$1 WRITE_META = true