Need help with props on multiline event

We're bringing in syslog's from datapower units, and they have a rough log setup: Jul 22 09:00:20 10.214.8.104 [0x80c0003f][xxxxxxSSOSPDebug][info] xmlfirewall(SSOAuditLogFW): trans(214401)[request][100.73.230.24] gtid(214401): Jul 22 09:00:20 10.214.8.104 Timestamp(2016-07-22T09:00:20-04:00) Jul 22 09:00:20 10.214.8.104 :: Jul 22 09:00:20 10.214.8.104 TransactionID() Jul 22 09:00:20 10.214.8.104 :: Jul 22 09:00:20 10.214.8.104 ClientId(xxxxxx 4000025) Jul 22 09:00:20 10.214.8.104 :: Jul 22 09:00:20 10.214.8.104 UserInfo() Jul 22 09:00:20 10.214.8.104 :: Jul 22 09:00:20 10.214.8.104 Status(0x00000000) Jul 22 09:00:20 10.214.8.104 :: Jul 22 09:00:20 10.214.8.104 TimeTake(V1_113_103_0_1_9) Jul 22 09:00:20 10.214.8.104 :: Jul 22 09:00:20 10.214.8.104 Message() That's an event in syslog, but sometimes breaks in half in splunk: Jul 21 23:15:44 172.22.93.21 :: Jul 21 23:15:44 172.22.93.21 TimeTake(V1_207_187_0_0_20) Jul 21 23:15:44 172.22.93.21 :: Jul 21 23:15:44 172.22.93.21 Message() Jul 21 23:15:44 172.22.93.21 [0x80c0003f][xxxxxxSSOSPDebug][info] xmlfirewall(SSOAuditLogFW): trans(33153921)[request][216.105.103.106]: Jul 21 23:15:44 172.22.93.21 Timestamp(2016-07-21T23:15:44-04:00) Jul 21 23:15:44 172.22.93.21 :: Jul 21 23:15:44 172.22.93.21 TransactionID() Jul 21 23:15:44 172.22.93.21 :: Jul 21 23:15:44 172.22.93.21 ClientId(xxxxxx 4000025) Jul 21 23:15:44 172.22.93.21 :: Jul 21 23:15:44 172.22.93.21 UserInfo() Jul 21 23:15:44 172.22.93.21 :: Jul 21 23:15:44 172.22.93.21 Status(0x00000000) My props looks like this, and I'm pretty sure it's wrong, but not certain where: [xxxxxx:prod:datapower] #Dec 28 11:21:03 10.1.1.49 [cert-monitor][warn] cert-monitor(Certificate Monitor): trans(383): Certificate 'HummingbirdUATCert' is expired TIME_PREFIX = ^ TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 15 #LINE_BREAKER = ([\n\r]+)(?=\w{3}\s+\d+\s+\d+:\d+:\d+) LINE_BREAKER = ^(?:[^ \n]* ){5}(?P\[\d+\w+\]) TRUNCATE = 1024000 SHOULD_LINEMERGE = TRUE Can someone help me stop these from coming in broken in half? I'm also interested in extracting the ClientId and Message fields, but w/ the amount of lines, am not getting far.