If your data source will never have multi-line events, you can set SHOULD_LINEMERGE = false in props.conf under the appropriate sourcetype, source, or host.
For example:
[openNMS]
# Properties for openNMS sourcetype
SHOULD_LINEMERGE = false
If there might be multi-line events in this source of data, you can use a combination of LINE_BREAKER to identify proper line endings or TIME_PREFIX / TIME_FORMAT / MAX_TIMESTAMP_LOOKAHEAD to identify timestamps. Splunk's default behavior is to break before a line containing a timestamp.
These are all in props.conf. http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
... View more