While it is recommended to use machine readable logging structures, it can be difficult to set up Splunk to read them. Here’ how:
In the props.conf on the universal forwarders, use something like
[mysourcetype] INDEXED_EXTRACTIONS = JSON TIMESTAMP_FIELDS = Time TZ = UTC KV_MODE = none AUTO_KV_JSON = false
Basically, I use a subset of this.