Lisa, I think you misunderstood the question. The question wasn't about setting the host field correctly in splunk, but about changing the syslog header when forwarding the data. I have the same problem and haven't yet found a solution...
...let me make an example.
Setting:
Maschine Forwarder ---> Indexer --> syslog host
Log / Event (1) (2) (3)
During its travel from (1) to (3), a log line looks as follows:
(1) Oct 30 08:25:43 xxxx yyyy.zzzz aaaa
(2) Oct 30 08:25:43 xxxx yyyy.zzzz aaaa
_time=Oct 30 08:25:43 host=xxxx sourcetype=syslog ...
(3) Oct 30 08:25:45 mmm nnn.ooo Oct 30 08:25:43 xxxx yyyy.zzzz aaaa
xxxx: original host
mmm: Indexer hostname
yyyy.zzzz: original facility.priority
nnn.ooo: facility.priority set in outputs.conf of mmm for syslog forwarding
aaaa: original message
This means that all data being received by the syslog host seems to be originating from the Splunk Indexer and has the same facility.priority (if one is not using different stanzas in outputs.conf, e.g. for different source types).
In the case of (1) being syslog, the syslog host can parse the message and take the original hostname (xxxx) and facility.priority (yyyy.zzzz) out of the message.
But if (1) is not containing a hostname, the original host cannot be induced from (3). For this it would be needed that the Splunk Indexer, when forwarding data by syslog, adds a syslog header which contains the value of the host field (per event) instead of its own hostname.
... View more