Struggling to create a custom label parsing syslog output

Hi - I’m struggling creating a custom label in my config.alloy, my rsyslog process on this node is collecting information from other devices and I’d like to create a custom label to dilleneate by label in grafana where the data is coming from.
Here’s an example that’s presently showing as unknown:

2025-07-24T10:58:56.499773-05:00 omada.montysplace.local  2025-07-24 10:57:34 Home Omada Controller-Home - - - DHCP Server allocated IP address ...

I’d like to take the second field in syslog via regex to assign the label as ‘syslog_host’ so I can parse it appropriately in grafana. I’m strugging with the config.alloy - would anyone be able to help me accomplish this?

// /////////////
// JOURNAL
// /////////////

// Collect logs from systemd journal for node_exporter integration
loki.source.journal "logs_integrations_integrations_node_exporter_journal_scrape" {
  // Only collect logs from the last 24 hours
  max_age       = "24h0m0s"
  // Apply relabeling rules to the logs
  relabel_rules = discovery.relabel.logs_integrations_integrations_node_exporter_journal_scrape.rules
  // Send logs to the local Loki instance
  forward_to    = [loki.write.local.receiver]
}

// Define relabeling rules for systemd journal logs
discovery.relabel "logs_integrations_integrations_node_exporter_journal_scrape" {
  targets = []

  rule {
    // Extract systemd unit information into a label
    source_labels = ["__journal__systemd_unit"]
    target_label  = "unit"
  }

  rule {
    // Extract boot ID information into a label
    source_labels = ["__journal__boot_id"]
    target_label  = "boot_id"
  }

  rule {
    // Extract transport information into a label
    source_labels = ["__journal__transport"]
    target_label  = "transport"
  }

  rule {
    // Extract log priority into a level label
    source_labels = ["__journal_priority_keyword"]
    target_label  = "level"
  }
}

// /////////////
// LOGS
// /////////////

// Define which log files to collect for node_exporter
local.file_match "logs_integrations_integrations_node_exporter_direct_scrape" {
  path_targets = [{
    // Target localhost for log collection
    __address__ = "localhost",
    // Collect standard system logs
    //__path__    = "/var/log/{syslog,messages,*.log}",
    __path__    = "/var/log/syslog",
    // Add instance label with hostname
    instance    = constants.hostname,
    // Add job label for logs
    job         = "integrations/node_exporter",
  }]
}

// Configure a loki.process component to parse the logs
loki.process "syslog_parser" {
  forward_to = [loki.write.default.receiver] // Replace default with your actual loki.write instance
  stage {
    // Use a regex stage to capture the second field
    // This regex looks for:
    // ^\S+  - one or more non-whitespace characters at the beginning (first field)
    // \s+   - one or more whitespace characters
    // (\S+) - captures one or more non-whitespace characters (the second field)
    // .* - matches the rest of the line
    regex {
      expression = "^\\S+\\s+(\\S+).*"
      // The captured group (the second field) will be available as 'captured_value'
    }
  }

  stage {
    // Use a labels stage to assign the captured value to syslog_host
    labels {
      syslog_host = "$1" // $1 refers to the first captured group from the regex
    }
  }

  source = logs_integrations_integrations_node_exporter_direct_scrape 
}

// Collect logs from files for node_exporter
loki.source.file "loki.process.syslog_parser" {
  // Use targets defined in local.file_match
  targets    = local.file_match.logs_integrations_integrations_node_exporter_direct_scrape.targets
  // Send logs to the local Loki instance
  forward_to = [loki.write.local.receiver]
}


// /////////////
// OUT TO LOKI
// /////////////

// Define where to send logs for storage
loki.write "local" {
    endpoint {
        // Send logs to a locally running Loki instance
        url ="http://syslog.montysplace.local:3100/loki/api/v1/push"
    }
}

Since I posted this a few days ago and got tagged for potential spam I have since gotten quite a bit further and resolved this particular issue. Specifically I needed the regex group definition I could then import into the labels block. If anyone else comes by with similar struggles here is my current config file for these logs.

// /////////////
// LOGS
// /////////////

// Define which log files to collect for remote_host_logs
local.file_match "remote_host_logs" {
  path_targets = [{
    __address__ = "localhost",
    __path__    = "/var/log/external_logs/*.log",
    instance    = constants.hostname,
    job         = "omada_controller_logs",
  }]
}

// Collect logs from files for remote_host_logs
loki.source.file "remote_host_logs" {
  targets     = local.file_match.remote_host_logs.targets
  forward_to = [loki.process.remote_host_logs_relabels.receiver]
}

// Processing pipeline for remote host logs
loki.process "remote_host_logs_relabels" {
  // Extract all leading fields and the full message ---
  stage.regex {
    expression = "^(?P<log_timestamp_full>\\S+)[[:space:]]+(?P<hostname>\\S+)[[:space:]]+\\s*(?P<internal_event_timestamp>\\S+[[:space:]]+\\S+)\\s*[[:space:]]+(?P<controller_source>.*?)[[:space:]]+-[[:space:]]+-[[:space:]]+-[[:space:]]+(?P<message>.*)"
  }

  // Assign all captured and extracted fields as labels ---
  stage.labels {
    values = {
      log_timestamp_full = "log_timestamp_full",
      hostname = "hostname",
      internal_event_timestamp = "internal_event_timestamp",
      controller_source = "controller_source",
      message = "message",
      operation = "operation",
      details = "details",
    }
  }

  // Forward the processed logs to the Loki write component
  forward_to = [loki.write.to_loki.receiver]
}