I suspect the events not breaking correctly do not have white space before the log level.  The regex I provided uses an empty capture group to put the event break before the log level.  If there's risk of a log level keyword being elsewhere in an event then add ":" on the end of the LINE_BREAKER setting to ensure it only matches the log level value at the beginning of the event.

Appreciate your help @richgalloway , tested with the suggested changes, it was not helpful though.

In notepad, it looks clean same as working lines, however not at all able to figure out cause of this behavior.

First para represents non breaking lines

Second para represents breaking lines

I'm at a loss here.  The two paragraphs appear the same to me so I don't know why the behavior is different.

I think i should check raw data in the above snip labelled as together on the server where it's getting generated couz , if you see the merged events they are exactly same. That is the first thing and secondly, if you would notice timestamps of the merged lines in merged events , they are chronological. If I am correct it should be reverse chronological from top to bottom. I therefore, think those merged lines are not separate lines with timestamps rather they are part of the very first line and Probably that is why splunk is putting them all together into one event with timestamps in increasing order. Well if that is so then how could the next unique event above the merged one have smaller timestamp? And that is why I suppose I need to check the order of lines with timestamps in rawdata on server itself.

Furthermore, why are there duplicate merged events. That is another question to be answered. 😁

Please correct me if i am wrong. 

Yes, Splunk displays events in reverse chronological order by default  That you see incrementing rather than decrementing timestamps is a symptom of failed line breaking and not a cause of it.  Once we get Splunk to break events properly, all events will be in the proper time sequence.