If I parse out a field, how can I tell if the value is an IP or a hostname?
timestamp host error: Auth fail user1 from 1.2.3.4
timestamp host error: Auth fail user2 from host.machine.com
While it's easy to put that last info into a field called source,
EXTRACT-user,source = error: Auth fail (?.+?) from (?.+)
I need to find out if the source is an IP or a hostname.
What is the syntax in props.conf to do that?