I have a hostname extraction TRANSFORMS.conf that works in v4.1.4, but since our upgrade to v4.3.2 it now doesn't extract the hostname. I have tried numerous changes to the REGEX on the new install but to no avail.
Example of incoming data:
<14>Jul 13 13:55:31 Message forwarded from hostname123:
Transforms.conf that worked:
[syslog-host-aix]
DEST_KEY = MetaData:Host
REGEX = \w+\s+\d+\s+\d{2}:\d{2}:\d\d\s+Message\sforwarded\sfrom\s([^:]+)
FORMAT = host::$1
I have tried many variations of the REGEX below in the Transforms.conf but none work.
[syslog-host-aix]
DEST_KEY = MetaData:Host
REGEX = .?Message\sforwarded\sfrom\s(\w):.* < ---- tried capturing entire line to no avail
FORMAT = host::$1
Did something change in REGEX's from the older versions to the newer versions of Splunk? Any ideas of REGEX's to try ? I am on version 10 and counting.
This is working for me with without the log facility and level.
\w+\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\sMessage\sforwarded\sfrom\s([^:]+)
If you need to include it you could do:
\<\d{2}\>\w+\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\sMessage\sforwarded\sfrom\s([^:]+)