Your regex looks really off - copy&paste error? If not, all it does is look for the capital F followed by some characters.
This should be better: \s\d+\.\d+\.\d+\.\d+\s+FAILED
Note, this doesn't actually match only IPv4 addresses, but it should be correct enough. Additionally, it doesn't check if it's the first IP that's being followed by FAILED - address that if you expect events that contain FAILED after a later IP that you want to keep, for example by only looking N words deep into the event from the beginning, as these look like syslog-ish headers.
There is an app for Bluecoat ProxySG on Splunkbase, that might help you a lot with field extraction and stuff.