I'm getting frustrated with one server ending up in my index with both "hostname" and "hostname.domainname" depending on the indexed data.

I've found a post talking about tagging (http://answers.splunk.com/questions/456/how-do-i-hard-code-the-fqdn-as-the-host-attribute-and-how-do-i-move-all-the-ol) which pointed to a doc page (http://www.splunk.com/base/Documentation/4.1/Knowledge/Tagthehostfield).

I don't have splunk up and running in production as I'm still in an evaluation/test phase - in my test environment I keep testing and reinstalling/cleaning the indexes if nessecary, so I'm trying to get this right from scratch/the start...

All servers in my testenvironment run SplunkLightForwarders. The only unit using syslog (for now) is my firewall that sends all logs to my splunk indexer/receiver on port 514/udp.

Questions:

1) When splunk (4.1.3, then been upgraded to 4.1.4) is installed on Linux, $SPLUNK_HOME/etc/system/local/inputs.conf and server.conf inserts the full servername including the domain (hostname.domain). On Windows, only hostname is set in these variables. Why? I need/want the full name, not only a simple hostname. I changed the variables on a windows server to be a full name with hostname and domain in the two config files and added a file monitor to a file on that server and on one of the other. The one I edited put the full name as host while the other server just gave me hostname. Thats why I'm wondering why splunk inserts different in Windows and Linux (hostname Vs hostname.domain).

2) Lets say I've got splunk running with data I don't want to loose. Is it possible to change the host value for those who only have "hostname", perhaps with reindexing? Or is tagging the only way to get the right search result (tagging hostname host values with hostname.domain)?