I have a host that is sending syslog entries with a couple of different formats. I have resolved how to roll multiline inputs into a single event, however, it has caused a problem with timestamp extraction on some subsequent events with a different format. Here are some example inputs from the same host:

Aug 5 14:09:57 1.2.3.4 Aug 5 14:03:26 hostname CSCOacs_TACACS_Accounting 0000053283 2 0 2011-08-05 14:03:26.411 -08:00 0000160939 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ACSVersion=acs-5.1.0.44-B.2347, ConfigVersionId=3, Device IP Address=4.3.2.1, RequestLatency=1, NetworkDeviceName=HOSTNAME_2911, Type=Accounting, Privilege-Level=1, Service=None, Authen-Method=NotSet, AVPair=task_id=1, AVPair=timezone=PST, AVPair=event=sys_acct, AVPair=reason=reload, AVPair=reload-reason=power-on, AVPair=ios-version=Cisco IOS Software\, C2900 Software (C2900-UNIVERSALK9-M)\, Version 15.0(1)M3\, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems\, Inc.
Compiled Thu 04-Aug-11 16:33 by mtillu, AcctRequest-Flags=Start, Service-Argument=system, AcsSessionID=ldbpcicacs/102307938/506, SelectedAccessService=Store_2911, Step=13006 , Step=15008 , Step=15006 , Step=15012 , Step=13035 , NetworkDeviceGroups=Location:All Locations:Store ISRs,

I have used the following in \etc\system\local\props.conf

[host::1.2.3.4]
LINE_BREAKER = ([\r\n]+(?=\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|Compiled))
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %h %e %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 2

This works, however, the time is no longer being extracted properly from the last event listed. If I remove the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD, things seem to work. However, those entries were recommended by Splunk Support and I wonder how necessary they are. Is there a way to help with the extraction given the different formats or should I just leave the time related functions out of props.conf?