Splunk_Deploiement/apps/TA-socradar-incidents/default/props.conf

[socradar:incidents]
TRUNCATE = 100000
SHOULD_LINEMERGE = 0
KV_MODE = json
category = Splunk App Add-on Builder
pulldown_type = 1

[source::...ta-socradar-incidents*.log*]
sourcetype = tasocradarincidents:log

[source::...ta_socradar_incidents*.log*]
sourcetype = tasocradarincidents:log

[socradar:status:updates]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
KV_MODE = json