I would do the same solution as hexx suggested in general.
( I could not add the comment. So, I'm using another answer field.)
Additional Info:
Splunk processes a stream of data as follows;
Break the stream into single line
LINE_BREAKER will be used here.
( At this point, Splunk does not know if event is a single line or not)
Check if need to merge multiple lines as one event
SHOULD_LINEMERGE, BREAK_ONLY_BEFORE, etc work here
( At this point, Splunk recognizes each event as either multi-line or single line)
I think it's possible that the issue was at the line merge time in your case.
Also, the "lookahead (?=)" regex would be more appropriate than "No backreference (?:)" in this case.
So, there is an alternative solution;
LINE_BREAKER = ([\r\n]+)(?=y\s+z)
SHOULD_LINEMERGE = false
LEARN_MODEL = false
I did a quick test with this, and it worked for me.
If this does not work, possibly there is props.conf in learned app generated configuration for this event.
In that case, delete the part in $SPLUNK_HOME/etc/apps/learned/local/props.conf.
... View more