mitch-1's solution of time_before_close=120 lessened the problem for us but didn't solve it.
We have multiline events with timestamps on each line and every 3 seconds (the default time_before_close) the universal forwarder would cut off the most recent event and send the data to the indexer, splitting a single event into 2 events (or even 3 sometimes if there was a pause > 3s). We tried both LINE_BREAKER as well as BREAK_ONLY_BEFORE to no avail.
time_before_close=120 helped a little as it made it so that incorrectly-split events happened every 120 seconds instead of every 3 seconds.
After working with Splunk support for about a month they confirmed that this is just how the universal forwarder works. The workarounds available were either 1) buffer the logs in memory until an "event" was complete and write the entire event to disk at once, or 2) user a heavy forwarder (apparently it has extra capabilities which can be configured to solve this problem). We ended up going with option 1 (buffering) and it solved the problem completely.
... View more