Thanks for quick response. Please see more information below.
The raw log in the access manager is mentioned below. Every event / log in the access manager starts with and ends with
The event log in access manager for the search performed in Splunk
<event rev="1.2">
<date>2013-12-11-21:16:04.828-09:00I-----</date>
<outcome status="0">0</outcome>
<component rev="1.2">http</component>
<event_id>xxx</event_id>
<action>xxx</action>
<location>accessmanagerserver</location>
</originator>
<accessor name="">
<user_location>xxxxx</user_location>
<user_location_type>xxxx</user_location_type>
</accessor>
<target resource="5">
<object>/splunk/en-US/api/search/jobs/1386828913.220/summary?min_freq=0.5&earliest_time=1233478800&latest_time=1235898000&output_time_format=%Y-%m-%dT%H:%M:%S.%Q%z&_=1386828964438</object>
<object_nameinapp>/splunk/en-US/api/search/jobs/1386828913.220/summary?min_freq=0.5&earliest_time=1233478800&latest_time=1235898000&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&_=1386828964438</object_nameinapp>
</target>
<resource_access>
<action>httpRequest</action>
search/jobs/1386828913.220/summary?min_freq=0.5&earliest_time=1233478800&latest_time=1235898000&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&_=1386828964438
<method>xxxxx</method>
<response>xxxx</response></resource_access>
<data>
GET ?min_freq=0.5&earliest_time=1233478800&latest_time=1235898000&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&_=1386828964438
search/flashtimeline?auto_pause=true&q=search%20host%3D%22webseal2%22
</data>
</event>
Please see the event parsed and indexed by Splunk. I am not sure why only part of the event is parsed here. This behavior is only observed for the searches performed in Splunk and logged in access manager logs and indexed by Splunk. The access logs for other applications in access manager are indexed by splunk as well and it works well in the above format (i.e. complete event with start and end with event tag). Why Splunk is parsing / filtering only some part of the complete event?
GET min_freq=0.5&earliest_time=1233478800&latest_time=1235898000&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&_=1386828964438
search/flashtimeline?auto_pause=true&q=search%20host%3D%22webseal2%22
Prop file has following properties
BREAK_ONLY_BEFORE = <event rev="1.2">
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
MUST_BREAK_AFTER = </event>
... View more