Hi, I have a log source (Cisco ironport) that sends some multi-line logs via syslog and I want to join only one log when the ICID is the same in the first case and join only one log when the MID is the same in the second case . But I want to remove part of the log. Example below. Is it possible to do this?

1. join when ICID is equal <22>Oct 07 22:16:47 TextMailLogs: Info: New SMTP ICID 929637136 interface Public_SMTP (yy.yy.yy.yy) address xx.xx.xx.xx reverse dns host host@isp.com verified yes <22>Oct 07 22:16:47 TextMailLogs: Info: ICID 929637136 RELAY SG policy match .isp.com SBRS not enabled <22>Oct 07 22:16:47 TextMailLogs: Info: SMTP Auth: (ICID 929637136) succeeded for user: user@isp.com using AUTH mechanism: PLAIN with profile: SMTP_AUTH_CP <22>Oct 07 22:16:48 TextMailLogs: Info: ICID 929637136 lost <22>Oct 07 22:16:48 TextMailLogs: Info: ICID 929637136 close

example result: <22>Oct 07 22:16:47 TextMailLogs: Info: New SMTP ICID 929637136 interface Public_SMTP (yy.yy.yy.yy) address xx.xx.xx.xx reverse dns host host@isp.com verified yes RELAY SG policy match .isp.com SBRS not enabled succeeded for user: user@isp.com using AUTH mechanism: PLAIN with profile: SMTP_AUTH_CP lost close

2. join when MID is equal <22>Apr 12 12:00:35 TextMailLogs: Info: MID 354020393 ICID 751911320 From: <from@isp.com> <22>Apr 12 12:00:35 TextMailLogs: Info: MID 354020393 ICID 751911320 RID 0 To: <to@isp.com> <22>Apr 12 12:00:36 TextMailLogs: Info: MID 354020393 Subject '=?UTF-8?B?V29tZW7'
   <22>Apr 12 12:00:36 TextMailLogs: Info: MID 354020393 ready 92209 bytes from <from@isp.com> <22>Apr 12 12:00:53 TextMailLogs: Info: Message finished MID 354020393 done

example result: <22>Apr 12 12:00:35 TextMailLogs: Info: MID 354020393 ICID 751911320 From: <from@isp.com> RID 0 To: <to@isp.com> Subject '=?UTF-8?B?V29tZW7' ready 92209 bytes from <from@isp.com> done

Thanks