Finally got around to trying these solutions. This is working very well for me!   | eval data = split(_raw, "@") | eval timestamp = mvindex(data, 9), ProcessId = mvindex(data, 1), sequence = mvindex(data, 8), message = trim(mvindex(data, 16), " ") | fillnull value="-01" sequence | sort 0 sequence ProcessId timestamp | stats list(message) as message max(sequence) as sequence min(_time) as _time by timestamp ProcessId | eval _raw = "@" . timestamp . "@" . ProcessId . "@ " . max(sequence) . " @ " . mvjoin(message, "")   Either solution (the stats way or the streamstats way) work as long as I use the line "sort 0 sequence ProcessId timestamp". This line I think was the issue before. It wasn't enough to just sort by sequence. @yuanliu to answer your question about unique identification, every spliced message of the same group should have the same timestamp and Process ID.  I tried only giving an "example" format of the data because I'm dealing with 16 fields and I'm not even sure what they all are or how they're correlated. In fact, as you all were helping me I found that there is a value (the sequence # being used now, but not the original I was referencing - it's weird) that does iterate by 1 integer for each subsequent splice. It starts at "00", not "1". That's what the "fillnull" is doing in my solution. I can see that the dumbed-down version of my events only made it harder to troubleshoot, for that I apologize. There doesn't seem to be a major difference, in this case, between stats and streamstats, and there doesn't seem to be a difference between "| eval sequence = if(sequence == "", -01, sequence) and "| fillnull value="-01" sequence". I think I have what I need - from the newly created or extracted field I can rex my other fields out of there. Unfortunate I can't go through the field extractor but hey, what you gonna do. Thanks for all your help!!   ... View more

Thank you all for your effort to help me solve this issue. @yuanliu I tried using your updated solution but still could not get it to work. I was able to get _raw to appear after I used "fillnull" on the sequence field, but now _raw only includes the first part of the message, and the message field only seems to contain the first part of every message, per event. I also can't find a line that contains a second half of a message. I don't think it's grouping them together. In any case, jumping down rabbit holes to your response led my to get something that's working ok - though it has some limitations. Biggest contributor to this search is the ""streamstats" command which I don't understand fully, but seems to evaluate values adjacent to each other, which works ok for my data. Ideally I would like these events to be coming into Splunk fully whole, but I'm thinking that's a pipe dream. Here's what I put together: index=foo | fillnull value="-01" sequence | eval message_part1=if(sequence=="-01",message,"") | eval message_part2=if(sequence=="00",message,"") | eval message_part3=if(sequence=="01",message,"") | eval message_part4=if(sequence=="02",message,"") | streamstats window=2 current=t latest(timestamp) AS last earliest(timestamp) AS first | transaction endswith=eval(first!=last) keeporphans=true | strcat message_part1 message_part2 message_part3 message_part4 message | rex field=message (...regex stuff to get my fields...)  There's four sizable, albeit tolerable, problems with this: 1. This doesn't account for messages larger than 4 parts long (256 + 256 + 256 +256 +...+n characters) so is not dynamic 2. If the most recent event is one that was spliced, then that event will not be grouped with all parts of its spliced message. I think this is has to do with streamstats. 3. (probably the most annoying problem) strcat adds a whitespace in between message parts even though I have not given a delimiter and even though there are no whitespaces in my data originally. Strcat won't take "" as a delimiter either - it must be a value. 4. There was no consideration given to processing speed . . . It's cumbersome, but I think it'll mostly work. I worry a little bit about the full messages having random whitespaces in them, making further field extraction that more annoying, but I think it's doable. Thanks for all your help. As always would appreciate any feedback, further instruction on making these fields easier to extract, or any miraculous guidance on getting these events ingested into Splunk fully whole. ... View more

I was afraid of that. Unfortunately, the system's documentation says this 256-char cutoff is by design, and I can't access the system myself. I realistically only have Splunk to work with here. ... View more

@yuanliu thanks for the reply! I'm having trouble viewing the edited _raw  in the statistics table generated by your solution. It does generate a table, and the "message" column contains both parts of the message (albeit in reverse), but no column for _raw. I wonder if I do not have permissions to edit _raw? I only have some access after all; a different team at my company manages the Splunk backend. I should say a few things in regards to your response: 1. You had a correct assumption about <Null> being "" 2. It is incorrect to group by the process ID - although the two events with the spliced message do share a process ID, there are other messages that share the same process ID in a short time span as well. I have been ordering by "timestamp" instead 3. "timestamp" is a field taken from a delimited field in each event and is technically different than _time, and "timestamp" is more accurate. There are wonky, old-proprietary-system-related reasons for this. 4. I should have ordered my example events in the reverse; the event with the 256 character part of the message appears in splunk first, followed by the second part as overflow Do any of these factors also change the search you provided? ... View more

@efavreau thank you for the response!! If I'm understanding you right, you're suggesting I extract both "parts" as fields using the field extractor, and then get fields with eval using both parts. Unfortunately, each of these lines are separate logs, not multiline events. When I extract the fields using the field extractor, I can't use regex to gather segments of other events, as far as I can tell. Am I missing something from any of the links in your response, do you know what I might need to do to extract those "parts" from 2 different, single-line events with the field extractor? ... View more