The field extractor regex basically counts the number of spaces before the IP. During the first nine days of the month there is an extra space, compare:
Nov 9 01:02:03 x.x.x.x
Nov 10 01:02:03 x.x.x.x
However, what you want is "three words before the IP", not "three (or four) spaces before the IP". Try something like this untested extraction:
^(?:[^\s]+\s+){3}(?P<FIELDNAME>(\d{1,3}\.){3}\d{1,3})
This looks for "positive number of non-spaces followed by positive number of spaces" (read: "words") three times, then picks out the IP while taking the decimal notation into account. Note, this would allow invalid IPs such as "999.999.999.999".
... View more