In regards to gcoles findings about the first approach not working with Splunk 4.3:
LINE_BREAKER = (?!)
This approach still works in Splunk 4.3 with a minor modification. The expression needs to be surrounded by an additional pair of parantheses:
LINE_BREAKER = ((?!))
I think this is because Splunk 4.3 requires the regular expression to have at least one capture expression, and earlier Splunk versions did not enforce this. The "(?!)" is merely a lookahead expression, the additional pair of parentheses does add a capture expression.
... View more