You can do that lookup automatically using props and transforms.
But not at indextime, which is usually where you set the host field value.
This is just one of those reasons why it is a bad idea to send syslog data straight to Splunk. If you would put a syslog server in between, you could have that do DNS lookups and write the logs with a proper hostname.
Alternatively, if you get the syslog data really directly from the switch (so no aggregator / load balancer in between), you could try using:
connection_host = dns
in your inputs.conf.
PS: if you assign sourcetype=syslog to this, you might be looking at the syslog host extraction, that overwrites the host field you set in inputs.conf with the content of the event.
... View more