I am seeing many references about how the "syslog" sourcetype takes the hostname form the /var/log/messages logs, by design. However, we want FQDN. I am also pushing the Linux T/A via Deployment Server, so I cannot easily override etc/system/default/transforms.conf.
How do I get FQDN for ALL of my linux /var/log logs?
If you want to override default syslog-host stanza in transforms.conf then you can put your custom configuration in on Indexer/Heavy Forwarder in path $SPLUNK_HOME/etc/apps/<APP_NAME>/local/transforms.conf this will take precedence compared to system/default based on Configuration file precedence document