Thanks, I now have the data, but I'm curious, can you provide what your inputs.conf and props.conf entries for this file and sourcetype look like? Without some changes, Splunk splits this data into multiple events etc, so I'm curious if you've already done some work to teach splunk how to interpret these events like setting LINE_BREAKER, or specifying regexes to teach splunk to break events.
BTW, your rex extraction works fine for me, so I'm still trying to dig in and reproduce your issue.
... View more