Should be easy enough but not working for me. I am trying to pull a hostname of a log. I am terrible at rexex and trying to get better
^ = starts with
.* = any number of characters
_ = space?
transforms.conf
DEST_KEY = MetaData:Host
REGEX = ^(.*)_
FORMAT = host::$1
here is format of the log -
localhost nmap 25 tcp allowed smtp
For some reason it's not extracting this hostname.
↧