Hi Guys,
Quick question, i would like to set a sourcetype based on regex.
Meaning, considering these events:

CEF:0|Quest|Sourcetype1|||User member-of removed|Low| end=Jun 29 2014 15:16:03 sourceDnsDomain= XXXXX cn1=2 cn1Label=SeverityID suser=XXXXXXXX suid=~XXXXX shost=XXXXX.corp.test.com msg=The user Domain\\XXXXX$ was removed from the group XXXXX \\ XXXXX. sourceServiceName=user flexString1= XXXXX \\ XXXXX flexString1Label=Old Value flexString2= flexString2Label=New Value cs1= XXXXX \\ XXXXX $ cs1Label=user-dn cs2= XXXXX \\ XXXXX cs2Label=old-member-of duser= XXXXX$ deviceCustomDate1=Jun 29 2014 15:16:17 deviceCustomDate1Label=CA Time Received

CEF:0|Quest|Sourcetype3|||User member-of removed|Low| end=Jun 29 2014 15:16:03 sourceDnsDomain= XXXXX cn1=2 cn1Label=SeverityID suser=XXXXXXXX suid=~XXXXX shost=XXXXX.corp.test.com msg=The user Domain\\XXXXX$ was removed from the group XXXXX \\ XXXXX. sourceServiceName=user flexString1= XXXXX \\ XXXXX flexString1Label=Old Value flexString2= flexString2Label=New Value cs1= XXXXX \\ XXXXX $ cs1Label=user-dn cs2= XXXXX \\ XXXXX cs2Label=old-member-of duser= XXXXX$ deviceCustomDate1=Jun 29 2014 15:16:17 deviceCustomDate1Label=CA Time Received

CEF:0|Quest|Sourcetype4|||User member-of removed|Low| end=Jun 29 2014 15:16:03 sourceDnsDomain= XXXXX cn1=2 cn1Label=SeverityID suser=XXXXXXXX suid=~XXXXX shost=XXXXX.corp.test.com msg=The user Domain\\XXXXX$ was removed from the group XXXXX \\ XXXXX. sourceServiceName=user flexString1= XXXXX \\ XXXXX flexString1Label=Old Value flexString2= flexString2Label=New Value cs1= XXXXX \\ XXXXX $ cs1Label=user-dn cs2= XXXXX \\ XXXXX cs2Label=old-member-of duser= XXXXX$ deviceCustomDate1=Jun 29 2014 15:16:17 deviceCustomDate1Label=CA Time Received

I would like to be able to extract the sourcetype (sourcetype1, sourcetype3, sourcetype4) based on a regex (which i haven't created yet, if anyone can assist with that as well that would be great).
I have looked into Variable Sourcetype Rule but did not find a way to do so.

Thanks in advance,
Naor