New to Splunk here. I have configured 100 servers to send syslog data. I did this by using puppet to install the universal forwarder, and set a deployment server address to my Splunk server, then in Splunk, I built an app to send syslog data back (using inputs.conf and outputs.conf). The app gets deployed.
I now have syslog data in my Splunk install!
However, given some history on some of these servers, I am getting multiple hostnames per server. (mostly abc and abc.domain.com)
Can I configure Splunk to overwrite the hostname from the logs?