@clesto - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers/comments, you don't have to take action on it yet.

What you have said is all sound logic about your reg exp. It should stop at the end of the line when you do .*, but there may be some other reason it is continuing on, like perhaps there is a return but not a newline (\r but not \n). DOS/Win uses \r\n for end of line and most everyone else uses \n for end of line. If you just have \r, then it may not be ending the line, though I have not personally seen this happen. Check your original data that is going in. If you are using Linux, you can use the od utility to check. For example:

od -c file.log

which will spit out the characters found. If there is a return without a newline it will look something like:

$ od -c file.log
0000000    O   u   t   c   o   m   e   :       s   u   c   c   e   s   s
0000020   \r   m   o   r   e       d   a   t   a  \n  \n
0000034

If your data looks something like the above example, that might be the cause. Since there is not a good way to clean data and post it here, you may be on your own doing the deep investigating of the data. But, from what you describe in your question, I'm surprised you are getting the results you are, but then again, looking at your original data will be the place to start.

Strange, I'm not seeing any \r in the logs anywhere. At the end of where each line would be is a \n. Also I don't notice anything specifically different between the logged data when it regularly occurs to when the script causes the logging to happen.

When I open the log in standard windows notepad it's just constant run on lines. When I open the log in Notepad++ it looks correct and if I turn on all characters it just shows a single LF at the end of each line. Using od I only see the \n at the end of the line. Although if I'm reading the log correctly, it almost looks like the way splunk is indexing each event is a little...off.

In the log, each entry or logged event is formatted similar to this:
\n
Event: xxx\n
TargetObject: xxx\n
SecondaryObject: xxx\n
Outcome: xxx\n
When: xxx\n
Measure: xxx\n
Actor: xxx\n
Impersonator: xxx\n
ClientAddress: xxx\n
Session: xxx\n
AuthServer: xxx\n
AppServer: xxx\n
ProxyServer: xxx\n
AgentAddress: xxx\n
Interface: xxx\n
MoreInfo: xxx\n
\n

Not every Entry has all of those fields.

On the Splunk server they look like this:
When:
Measure:
Actor:
Impersonator:
ClientAddress:
Session:
AuthServer:
AppServer:
ProxyServer:
AgentAddress:
Interface:
MoreInfo:
Event:
TargetObject:
SecondaryTarget:
Outcome:

So it seems splunk isn't exactly parsing the data correctly.

That makes a whole lot of sense. These logs are generated by an LDAP server running on Windows 2008 R2. I also noticed that this only seems to happen when a certain script is run to grab the passwords of some of the accounts within the LDAP server. For the heck of it I clicked on one of the run on results in Splunk and told it to search on that. Sure enough there was some form of hard return/carriage return it automatically plugged into the search field. If I did a search without the carriage return and just a space, it wouldn't find the entries, but if I put the carriage return back in, it would find the entries.

I have access to some linux systems. Might wind up copying the log to one and check it out.

Strange I didn't notice that when I posted. Some of the code must have gotten stripped. Here's the regex
Outcome:\s(?P.*)
Hopefully it woks this time.
Also possible outcomes are:
denial: excessive failures
denial
denial: invalid credentials
failure: DCE error: fetch_acl Key not found in database (dce / lib)
and possibly others

Still got stripped. Adding some spaces to see if that helps. I tried clicking the code button and adding it there, but it didn't help.

Spaces added between the ?P and < snare_outcome > and .*

Outcome:\s(?P < snare_outcome > .*)