"31" in your sample is the correlation id of the original message. I can't see it in the original line in your sample, but it is there. it is not part of the message and you have to drop it from the concatenated line.
ITschak On Thu, Dec 5, 2019 at 3:28 AM Matt Hogstrom <m...@hogstrom.org> wrote: > I’m processing syslog messages and I’d like to combine multi-line messages > into a single entry before processing the entries. For instance, these > messages > > N 0020000 PROD 19111 16:00:40.08 JOB08657 00000090 +=== SUSPEND > PROGRAM FOR 02 SECONDS. === > N 0004000 PROD 19111 16:00:40.08 JOB08657 00000290 -STIMER > 00 4 0 0.000020 0.000000 0.0 > S 31 JES2 > 0 0 0 0 > > > Would become > 0020000 PROD 19111 16:00:40.08 JOB08657 00000090 +=== SUSPEND PROGRAM > FOR 02 SECONDS. === > 0004000 PROD 19111 16:00:40.08 JOB08657 00000290 -STIMER > 00 4 0 0.000020 0.000000 0.0 31 JES2 0 > 0 0 0 > > Given there are a number of subtle rules I was wondering if anyone had > written or was aware of a general purpose normalizer. > > > Matt Hogstrom > m...@hogstrom.org > +1-919-656-0564 > PGP Key: 0x90ECB270 > Facebook <https://facebook.com/matt.hogstrom> LinkedIn < > https://linkedin/in/mhogstrom> Twitter <https://twitter.com/hogstrom> > > “It may be cognitive, but, it ain’t intuitive." > — Hogstrom > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN