I tested this with your sample data and the following configuration works where hostname is rewritten to ca693292l2:
apply to indexers
$SPLUNK_HOME/etc/system/local/props.conf (or if using indexer clustering deploy through the cluster master which will put the configs in: $SPLUNK_HOME/etc/slave-apps/_cluster/local/props.conf )
[source::.../opt/splunkforwarder/customerlogs/syslog/test.log]
TRANSFORMS-force_host = force_host
$SPLUNK_HOME/etc/system/local/transforms.conf
[force_host]
REGEX = \w+\s\d+\s\d\d:\d\d:\d\d\s(\w+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
WRITE_META = true
... View more