https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760416#M120458 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/313049">@gnagasri</a>&nbsp;,</P><P>where did you locate these conf files?</P><P>they must be located on the first Heavy Forwarder where data pass through or (if there isn't any Heavy Forwarder) on Indexers.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 23 Apr 2026 15:07:37 GMT gcusello 2026-04-23T15:07:37Z https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760415#M120457 <P>Sample events - working in regex101 :&nbsp;<A href="https://regex101.com/r/LuC6ZQ/1" target="_blank" rel="noopener">https://regex101.com/r/LuC6ZQ/1</A></P><P>| rex field=_raw "nsssvcip\=(?&lt;host&gt;\d+\.\d+\.\d+\.\d+)" - working in Splunk UI search bar.</P><LI-CODE lang="markup">Transforms.conf [aaa_sourcetype] DEST_KEY = MetaData:Host FORMAT = host::$1 REGEX = nsssvcip\=(\d+\.\d+\.\d+\.\d+) Props.conf TRANSFORMS-01-set_host = aaa_sourcetype</LI-CODE><P>&nbsp;</P><P>But when applied the above, it doesnt work for&nbsp; 1st sample event. Kindly suggest.</P> Thu, 23 Apr 2026 14:40:35 GMT https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760415#M120457 gnagasri 2026-04-23T14:40:35Z https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760416#M120458 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/313049">@gnagasri</a>&nbsp;,</P><P>where did you locate these conf files?</P><P>they must be located on the first Heavy Forwarder where data pass through or (if there isn't any Heavy Forwarder) on Indexers.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 23 Apr 2026 15:07:37 GMT https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760416#M120458 gcusello 2026-04-23T15:07:37Z https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760419#M120459 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/313049">@gnagasri</a>&nbsp;</P><P>Your match is at position 5321 in the string however the default limit is 4096 regex lookahead, try setting the LOOKAHEAD value in your transform stanza to a higher value (eg 7000):</P><LI-CODE lang="markup">LOOKAHEAD = &lt;integer&gt; * NOTE: This option is valid for all index time transforms, such as index-time field creation, or DEST_KEY modifications. * Optional. Specifies how many characters to search into an event. * Default: 4096 * You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).</LI-CODE><P>For more info check out the transforms docs at&nbsp;<A href="https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/configuration-file-reference/9.4.0-configuration-file-reference/transforms.conf#:~:text=LOOKAHEAD%20%3D%20%3Cinteger%3E" target="_blank">https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/configuration-file-reference/9.4.0-configuration-file-reference/transforms.conf#:~:text=LOOKAHEAD%20%3D%20%3Cinteger%3E</A></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Thu, 23 Apr 2026 15:48:58 GMT https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760419#M120459 livehybrid 2026-04-23T15:48:58Z https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760422#M120460 You should try this.<BR />There are lot of other limits like TRUNCATE etc which could also hit, especially in some other issues. I really suggest that you should read those spec files and additionally limits.conf is one useful Thu, 23 Apr 2026 18:00:34 GMT https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760422#M120460 isoutamo 2026-04-23T18:00:34Z https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760486#M120464 <P>This worked. Thankyou.</P> Mon, 27 Apr 2026 05:45:14 GMT https://community.splunk.com/t5/Getting-Data-In/Host-override-not-working/m-p/760486#M120464 gnagasri 2026-04-27T05:45:14Z