Sorry for getting in late
20140805140704.650149+120,21240,350,21240,60,0,48,12,313651,7277,69124096,41893 888,dtexec.exe /SQL "\APPLICATION_NAME" /SERVER "SERV ER_NAME"

The above is one of the sample _raw data(single event). Check the highlighted one(SERV ER_NAME). Can't really post original set of records, but there is no pattern when the newline character is coming..

Props.conf
DATETIME_CONFIG=CURRENT
MAX_TIMESTAMP_LOOKAHEAD=150
BREAK_ONLY_BEFORE=\d{14}\.\d{6}
NO_BINARY_CHECK=1
REPORT-dwh = package_Usage

Are you running into any limits such as MAX_EVENTS or TRUNCATE?

Without actual sample data and the props.conf settings used to index it I'm just guessing here.

that i was thinking, but there are so much data indexed, if no other option i have to go for SEDCMD. and the newline actually is not coming from the script outout which i can confirm.

I'd focus on getting rid of the newline character, wherever it's from. Did you try using SEDCMD-foo to remove it during indexing?

i have to use replace in the search but for filtering it will not work for a larger data set which i can filter out at the source level only if i can remove that newline as a extracted field.

I am using a script to geneate the data which i am extracting at search time.

What splunk is doing in _raw it inserts "\n" character at the end of the line if it is little large.

e.g. my data looks like this

123,123,123,0,12,93,cmd "program_name parameter1 parameter2",234324

whats am doing is:

i extract each field and program as
"program_name parameter1 parameter2"

many times i get values
"program_name parameter1 para meter2"
"program_name parameter1 paramete r2"
"program_name param eter1 parameter2" like these

Could you post some sample data?

I'd also be interested in where that newline is coming from - Splunk doesn't just add characters to the data.