Deploiement_Server/deployment-apps/SA-ldapsearch/default/props.conf

[source::.../var/log/splunk/SA-ldapsearch.log]
sourcetype = SA-ldapsearch

[SA-ldapsearch]
EXTRACT-vars = Level=.+, (?<log_source>Pid=.+, File=.+, Line=.+), (?<message>.*)