So I finally figured out how to do this.
On my indexer nodes I added the following to transforms.conf :
[syslog_strip_date_host]
SOURCE_KEY = _raw
REGEX = ^.*?\b\d\d:\d\d:\d\d\b\S* \S+\s*(.*)
FORMAT = $1
DEST_KEY = _raw
And added the following to props.conf
[syslog]
TRANSFORMS-date_host = syslog_strip_date_host
The regex looks for the first thing containing a date ( \d\d:\d\d:\d\d ) and deletes it and the next field (which is the host).
As a note for anyone else looking into this, doing a SEDCMD in props.conf does not work as the replacement occurs before indexing, so the host (and possibly time) doesn't get indexed. Using a transform seems to happen after indexing so it works.
... View more