Hello,

I am trying to replace the host value that is the UF with event data as the value. 

 ACME-001 PROD-MFS-003: status="200/0" srcip="1.0.0.1" user="a7bk28" dhost="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Music" rep="24" mt="image/jpeg" mlwr="-" app="-" bytes="601/274/31302/00012" ua="Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0" lat="0/0/05/14" rule="rule14 bad" url="http://test_web.com/page5/e.jpg?ee=ff&gg=hh"
 ACME-001 PROD-POS-006: status="200/0" srcip="1.0.0.13" user="ItsEmeline" dhost="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Beauty" rep="21" mt="application/xml" mlwr="-" app="-" bytes="534/020/100/130" ua="Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1" lat="0/10/026/105" rule="rule12 bad" url="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh"

ACME-001 is what I want to be placed in as the value for the host field. These are teh props and transforms that I am using. 

props.conf

[mcafee:wg:kv]
TRANSFORMS-changehost = changehost
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current

transforms.conf

[changehost]
DEST_KEY = MetaData:Host
REGEX = ^(?P<host>\S+)
FORMAT = host::$1

I have also tried 

^(\S+) for the regex

I have 1 SH, 1 CM, 2 IDX and 1 UF

I have put the props and transforms in app and pushed them to the indexers from the CM. They are on both indexes in /opt/splunk/etc/peer-apps

I have a TA that has the same sourcetype that I am using in props in my app. Im wondering if I should add the props and transforms to a local folder in the TA instead of having them in a separate app. 

Any suggestions would be much appreciated.