And if you use a split filter you can change that to two events that look like
"host" => "localhost.localdomain",
"message" => "2021-12-15T19:50:00-0700 [INFO]: message1",
"@timestamp" => 2021-12-15T14:48:06.259Z,
"data" => {
"id" => "123"
}
But you cannot convert them to be
"host" => "localhost.localdomain",
"2021-12-15T19:50:00-0700 [INFO]: message1",
"@timestamp" => 2021-12-15T14:48:06.259Z,
"data" => {
"id" => "123"
}
which is what you are asking for.