Hi,

I have a feed that is collecting data and resending it to Splunk via syslog. I'd like to extract the hostname from the message, not the device sending the message.

If my feed was like this, and I wanted to extract it from agentmachine=... (up to the next pipe, but no $), how would I do that?

2013-08-08T11:06:40-04:00 1.2.3.4 blahblahblah eventid=675|agentmachine=XXX\AAAAA$|auditmachine=|category=9|ClientDomain=|clientUser=SDFSDF|clientlogonid=0|clientsid=S-1-5-21-1343024091-606747145-1801674531-1091404|collectiontime=8/8/2013 3:06:37 PM|creationtime=8/8/2013 3:06:36 PM|flags=1|headerDomain=AAAA|headersid=S-1-5-18|headeruser=SYSTEM|Primarydomain=|PrimaryLogonID=0|primarysid=|primaryuser=|targetDomain=|targetsid=|targetuser=|sequenceno=3514421565|source=Security|string01=krbtgt/BMI|string02=0x0|string03=0x19|string04=1.2.3.4|string05=|string06=|string07=|string08=|string09=|string10=|string11=|string12=|string13=|string14=|string15=|string16=|string17=|string18=|string19=|string20=|string21=|string22=|type=16|listenerName=AD-Kerberos-PreAuthFailed