I'm having problems with Splunk to split the Sessions data collected with GetXASessions5.ps1 from Citrix correctly. The complete list of sessions are one event as shown below.

Citrix environment I'm dealing with is Win2203SP2/Presentation Server 4.5/ PowerShell2.0

I have installed "Splunk App for Citrix XenApp (Legacy) since the newest App seems to only support XenApp6.x...
I have copied the TA-XA5-Server into the deployment-Apps forlder
I have installed a UF (6.2.1) onto the Citrix server defined it in my deploymentserver
I have loaded the SDK (http://www.citrix.com/static/cdn/archivedsdks/mfcom/5.0/mpssdk.msi ) onto the Citrix server and I'm able to run the powershell scripts causing my questions locally on the Citrix server from Powershell.

The problem seems to be that the powershell script: GetXASession5.ps1 returns a list of sessions, but Splunk doesn't split each of the sessions in the list into separate events.
Here is an example of the list returned and reported as one event in Splunk for index=xenapp sourcetype="xenapp:50:session":

01.28.2015 14:33:49 GMT - SessionId="0" SessionName="Console" ServerName="MyServer" AccountName="" BrowserName="" State="Active" ClientName="" LogOnTime="28.01.2015 15:33:49" Protocol="Ica" VirtualIP="0.0.0.0" EncryptionLevel="" ServerBuffers="" ClientIPV4="" ClientBuffers="" ClientBuildNumber="0" ColorDepth="2" ClientDirectory="" ClientProductId="0" HorizontalResolution="640" VerticalResolution="480" ConnectionTime="31.12.1600 23:00:00" DisconnectTime="31.12.1600 23:00:00" LastInputTime="28.01.2015 13:33:49" CurrentTime="28.01.2015 13:33:49" ClientCacheLow="0" ClientCacheTiny="0" ClientCacheXms="0" ClientCacheDisk="0" ClientCacheSize="0" ClientCacheMinBitmapSize="0" UserName="" FarmName="MyCitrixFarm" SessionUID="28.01.2015 15:33:49:0:MyServer" ScriptRunTime="130669292292273332"
01.28.2015 14:33:49 GMT - SessionId="65536" SessionName="ICA-tcp" ServerName="MyServer" AccountName="" BrowserName="" State="Listening" ClientName="" LogOnTime="28.01.2015 15:33:49" Protocol="Ica" VirtualIP="0.0.0.0" EncryptionLevel="" ServerBuffers="" ClientIPV4="" ClientBuffers="" ClientBuildNumber="0" ColorDepth="0" ClientDirectory="" ClientProductId="0" HorizontalResolution="0" VerticalResolution="0" ConnectionTime="31.12.1600 23:00:00" DisconnectTime="31.12.1600 23:00:00" LastInputTime="31.12.1600 23:00:00" CurrentTime="28.01.2015 13:33:49" ClientCacheLow="0" ClientCacheTiny="0" ClientCacheXms="0" ClientCacheDisk="0" ClientCacheSize="0" ClientCacheMinBitmapSize="0" UserName="" FarmName="MyCitrixFarm" SessionUID="28.01.2015 15:33:49:65536:MyServer" ScriptRunTime="130669292292273332"
01.28.2015 14:33:49 GMT - SessionId="65537" SessionName="RDP-Tcp" ServerName="MyServer" AccountName="" BrowserName="" State="Listening" ClientName="" LogOnTime="28.01.2015 15:33:49" Protocol="Rdp" VirtualIP="0.0.0.0" EncryptionLevel="" ServerBuffers="" ClientIPV4="" ClientBuffers="" ClientBuildNumber="0" ColorDepth="0" ClientDirectory="" ClientProductId="0" HorizontalResolution="0" VerticalResolution="0" ConnectionTime="31.12.1600 23:00:00" DisconnectTime="31.12.1600 23:00:00" LastInputTime="31.12.1600 23:00:00" CurrentTime="28.01.2015 13:33:49" ClientCacheLow="0" ClientCacheTiny="0" ClientCacheXms="0" ClientCacheDisk="0" ClientCacheSize="0" ClientCacheMinBitmapSize="0" UserName="" FarmName="MyCitrixFarm" SessionUID="28.01.2015 15:33:49:65537:MyServer" ScriptRunTime="130669292292273332"
01.28.2015 14:33:49 GMT - SessionId="1" SessionName="RDP-Tcp#1" ServerName="MyServer" AccountName="MyUserName" BrowserName="" State="Active" ClientName="MyClient" LogOnTime="28.01.2015 15:33:49" Protocol="Rdp" VirtualIP="0.0.0.0" EncryptionLevel="" ServerBuffers="5 x 1460" ClientIPV4="x.x.x.248" ClientBuffers="5 x 1460" ClientBuildNumber="9600" ColorDepth="4" ClientDirectory="C:\Windows\system32\mstscax.dll" ClientProductId="3" HorizontalResolution="1676" VerticalResolution="1118" ConnectionTime="28.01.2015 10:24:48" DisconnectTime="31.12.1600 23:00:00" LastInputTime="28.01.2015 13:13:51" CurrentTime="28.01.2015 13:33:49" ClientCacheLow="0" ClientCacheTiny="0" ClientCacheXms="0" ClientCacheDisk="0" ClientCacheSize="0" ClientCacheMinBitmapSize="0" UserName="MyUserName" FarmName="MyCitrixFarm" SessionUID="28.01.2015 15:33:49:1:MyServer" ScriptRunTime="130669292292273332"

Each session event I expect to be reported ends with: ScriptRunTime="<18 digit number>"
Each session event I expect to be reported starts with:

I have tried to create and adjust information in the $SPLUNK_HOME\etc\apps\SplunkAppForXenApp\local\props.conf file in different ways, but nothing change the behavior.
I'm using deployment server and after doing the change in props.conf I do "Splunk reload deploy-server" and then force a change to the ServerClass and can see that the agent is installing the changes.

Here are the things I have tried in props.conf. Only one at the time(!) in addition to both "SHOULD_LINEMERGE = false|true" causing no difference.

[xenapp:50:session]
LINE_BREAKER = \d{2}.\d{2}.\d{4}\s\d{2}:\d{2}:\d{2}.*([\r\n]+)

[xenapp:50:session]
MUST_BREAK_AFTER = \d{2}.\d{2}.\d{4}\s\d{2}:\d{2}:\d{2}.*([\r\n]+)

[xenapp:50:session]
MUST_BREAK_AFTER = ScriptRunTime="\d{18}"

NB: The displaying of this page seems to remove remove the backslash infront of every d s r and n in my regex. double backslash didn't work either... The same happen in the path I put in as well... Sorry....

If I copy the event reported in search (the one pasted above) into a file and Import this into splunk directly, it breaks the events as expected! For the example above it split into four events, but when running the powershell script it is reported as one event.

Have anyone any suggestions what to do as next step to get the events split correctly?

-Tore