Thank you for your reply! I was out yesterday and unable to test this.
The SEPM Server is Windows 2016, Elastic is running on Ubuntu 18.04 LTS.
Here is a much abbreviated (and sanitized) log sample that shows just two lines separated by the '\r'
> <50>Apr 15 10:03:50 SEPM SymantecServer: H2HWEB01,SHA-256: 0000000000000000000000000000000000000000000000000000000000000000,MD-5: ,[SID: 31358] Attack: ThinkPHP getShell Remote Code Execution 2 attack blocked. Traffic has been blocked for this application: SYSTEM,Local: 192.168.1.7,Local: 000000000000,Remote: ,Remote: 129.28.4.4,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2019-02-24 15:57:47,End: 2019-02-24 15:57:47,Occurrences: 1,Application: SYSTEM,Location: Default,User: used,Domain: TEST,Local Port 80,Remote Port 60726,CIDS Signature ID: 31358,CIDS Signature string: Attack: ThinkPHP getShell Remote Code Execution 2,CIDS Signature SubID: 76184,Intrusion URL: 199.48.152.1/index.php?s=captcha,Intrusion Payload URL: \r<50>Apr 15 10:03:50 SEPM SymantecServer: H2HWEB01,SHA-256: 0000000000000000000000000000000000000000000000000000000000000000,MD-5: ,[SID: 31358] Attack: ThinkPHP getShell Remote Code Execution 2 attack blocked. Traffic has been blocked for this application: SYSTEM,Local: 192.168.1.7,Local: 000000000000,Remote: ,Remote: 129.28.4.4,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2019-02-24 15:57:42,End: 2019-02-24 15:57:42,Occurrences: 1,Application: SYSTEM,Location: Default,User: used,Domain: TEST,Local Port 80,Remote Port 60084,CIDS Signature ID: 31358,CIDS Signature string: Attack: ThinkPHP getShell Remote Code Execution 2,CIDS Signature SubID: 76184,Intrusion URL: 199.48.152.1/index.php?s=captcha,Intrusion Payload URL:
The '\r' is at character 741, about halfway in.
I tried using \r, \r, and ^M in the mutate->split, but the messages are not split out into separate events. I am not sure I understand your use of Ctrl/V & Ctrl/M in your reply & expample.
Thanks!