I think I achieved this but I'm not sure. I can't reproduce those messages.
This is what I've done
1 rule let's say "Customer A devices"
1 filter Including devices by hostname like this "^XYZ"
2 filter Including message Text and filter type RegExp as follow
"^%ASA-[0-7]-321" "^%ASA-[0-7]-319" "^%ASA-[0-7]-199" "^%ASA-[0-7]-211" "^%ASA-[0-7]-214" "^%ASA-[0-7]-216" "^%ASA-[0-7]-[30(6|7)" "^%ASA-[0-7]-414" "^%ASA-[0-7]-60(4|6)" "^%ASA-[0-7]-610" "^%ASA-[0-7]-612" "^%ASA-[0-7]-61(4|5)" "^%ASA-[0-7]-701" "^%ASA-[0-7]-711" "^%ASA-[0-7]-209" "^%ASA-[0-7]-215" "^%ASA-[0-7]-313" "^%ASA-[0-7]-317" "^%ASA-[0-7]-408" "^%ASA-[0-7]-10(1|4)" "^%ASA-[0-7]-210" "^%ASA-[0-7]-311" "^%ASA-[0-7]-709"
These are all critical messages so to test it I just added it a common message for example "^%ASA-[0-7]-106" which would be %ASA-4-106023 for example (some acl list packet dropped)
If I split this filter it stops working...Any idea would be really appreciated.
Cheers