I have a hostname extraction TRANSFORMS.conf that works in v4.1.4, but since our upgrade to v4.3.2 it now doesn't extract the hostname. I have tried numerous changes to the REGEX on the new install but to no avail.

Example of incoming data:

<14>Jul 13 13:55:31 Message forwarded from hostname123:

Transforms.conf that worked:

[syslog-host-aix]

DEST_KEY = MetaData:Host

REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s([^:]+)

FORMAT = host::$1

I have tried many variations of the REGEX below in the Transforms.conf but none work.

[syslog-host-aix]

DEST_KEY = MetaData:Host

REGEX = .?Message\sforwarded\sfrom\s(\w):.* < ---- tried capturing entire line to no avail

REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s(.*?):

FORMAT = host::$1

Did something change in REGEX's from the older versions to the newer versions of Splunk? Any ideas of REGEX's to try ? I am on version 10 and counting.