We are currently facing the issue that we are indexing syslog data from beyond trust.

The product splits it's syslog messages if the event is bigger than 1kb.
(see docu: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/message-segmentation.htm )

Example:

1st Message:
Jun 12 15:09:03 beyondtrust.instance 1 2023-06-12T15:09:03+02:00 btrs BG 22595 - [meta sequenceId="891"] 1427:01:02:site=beyondtrust.instance ;when=1686575343;who=Test User (testuser);who_ip=10.0.0.1;event=api_account_changed;old_bearer_token_long_lived=0;old_client_id=b0mm90956f58a2529gfh414681d877e3a694579b;old_client_secret=***NEW***;old_comments=;old_ecm_group=1;old_enabled=1;old_failed_login_attempts=0;old_failed_login_expiration=1680168524;old_id=3;old_ip_addresses=10.0.0.0/8,10.1.0.0/8;old_name=api-testuser;old_permissions:backup=1;new_permissions:backup=0;old_permissions:command=full_access;old_permissions:configuration=1;old_permissions:configuration_vault_account=1;old_permissions:ecm=0;old_permissions:real_time_state=0;old_permissions:reporting:archive=0;old_permissions:reporting:license=0;old_permissions:reporting:presentation=0;old_permissions:reporting:support=0;old_permissions:reportin

2nd Message:
Jun 12 15:09:03 beyondtrust.instance 1 2023-06-12T15:09:03+02:00 btrs BG 22595 - [meta sequenceId="892"] 1427:02:02:g:syslog=0;old_permissions:reporting:vault=0;old_permissions:scim=0;old_permissions:vault_backup=0

The only thing that indicated that an event was segmened are the "Segment Number" and the "Total Segments" fields in the header along with a field that seems to be some kind of "Message ID" - is there a way to index those two events as one by creating a custom source type? Since every event has its own timestamp this seems not possible?

Maybe there's a way to merge those two events at search-time into one since I need the whole payload to be displayed on a dashboard?

Thanks for your help! 🙂