Hi, Note: I am using Splunk Universal forwarder We are forwarding logs form our central syslog server to a new splunk server. In the universal forwarder I am trying to put in a transform to change the host field to the machine that has sent the syslog logs to the central sylog server. All the syslog records have s_local@hostname in the record so I want to extract this hostname field. The logs files themselves are under the path /var/log/HOSTS/ on the central syslog server. The problem is that only the syslog server shows up in the host field on the splunk server(syslog server name=hds1prd) The files on the forwader are: -inputs.conf [monitor:///var/log/HOSTS/...] disabled = 0 followTail = 0 sourcetype = syslog whitelist = 2012 -props.conf [ syslog ] TRANSFORMS-t1 = rename_host -transforms.conf [rename_host] REGEX = s_local@([^\s]+) FORMAT = host::$1 DEST_KEY = MetaData:Host Any help will be much appreciated, ... View more