Tried suggestions from other Q/A, but alas. Trying to route syslog data from one host to an index other than main. the host is a netapp filer and there is no option to install a forwarder, so it's just sending data on 514. single indexer/search head, target index is setup and named 'netapp'
It's possible that your host value is not in fact host.fqdn. If your sourcetype is syslog, Splunk applies a transform that modifies the host according to what's in the event data. But the selection of rules from props.conf is applied based on the *un*transformed host, so it may be the IP address, or something.
This is much easier to deal with if you receive the data using syslog or syslog-ng or rsyslog, write it to a set of files split out by hostname, and then have Splunk monitor those files, using the host_segment or host_regex to set the host name.
Also (and this isn't why it's failing), don't use .* as your matching regex. There's no need to match up against the entire string. Simply . or (?=) will work fine.