I have a v4.1.4 full forwarder setup to forward the Windows system and application event logs to a v4.1.4 indexer. At this point, events coming from both event logs have the hostname of the forwarder (sbkhpsim1) in the "host=" field. However, in the application event log only, I need to substitute the forwarder's hostname in the "host=" field to the name of a host within the event. Below are the inputs.conf, props.conf, and transforms.conf files from the forwarder. The REGEX to do the substitution works, so I don't think that's the issue. ANY help is appreciated.

inputs.conf

host = sbkhpsim1

[WinEventLog:System]
disabled = false

[WinEventLog:Application]
disabled = false
sourcetype = WindowsAppEventLog

props.conf

[WindowsAppEventLog]
TRANSFORMS-sim = GetEventOrigName

transforms.conf

[GetEventOrigName]
REGEX = ^Event\soriginator:\s(\w+\-?\w+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

Event Text

05/15/12 07:30:01 AM
LogName=Application
SourceName=HP Systems Insight Manager
EventCode=3
EventType=1
Type=Error
ComputerName=SBKHPSIM1
Category=0
CategoryString=none
RecordNumber=57175
Message=sbkesx14: (SNMP) Accelerator Board Status Change (3038): 
Event Name: (SNMP) Accelerator Board Status Change (3038)
URL: http://sbkhpsim1.win.dowjones.net:280/mxportal/MxContextLaunch.jsp?systems=sbkesx14&tool=System%20Pa...
Event originator: sbkesx14
Event Severity: Critical
Event received: 15-May-2012, 07:28:51

Event description: Accelerator Board Status Change.  This trap signifies that the agent has detected a change in the status of an array accelerator cache board.  The current status is represented by the variable cpqDaAccelStatus.  User Action: If the accelerator board status is permDisabled(5), you may need to replace the accelerator board.

Location: Slot 6
Model: sa-p400
Serial Number: PA2270J9SW1878
Total Memory: 524288
Status: tmpDisabled
Error Code: lowBattery