From another Splunk Answers post "How to Configure timestamps for events with multiple timestamps" gkanapathy mentioned "it is very likely that the host that you see in the event (foo.bar.com) is being set because your sourcetype is syslog. the actual host for a syslog event may or may not be the same". If this were true how do I apply the timestamp extraction config by host? OR is there a workaround?
If there are multiple timestamps, you can use a custom DATETIME_CONFIG instead of specifying TIME_FORMAT and TIME_PREFIX. This is not heavily documented, but basically, you create a custom version of the $SPLUNK_HOME/etc/datetime.xml file (remove the default patterns, and insert the specific patterns that you want to match), then set DATETIME_CONFIG to point to this new custom file instead of using TIME_FORMAT/TIME_PREFIX.
Note that if TIME_FORMAT fails to match or is not specified, Splunk will fall through and try the DATETIME_CONFIG file to find a timestamp in an event. The default Splunk datetime.xml has several common patterns, and is what is used by Splunk to "guess" at timestamps in an event. If you have a specific set of patterns, you can make the timestamp extraction more precise, more controlled, and less CPU-intensive (and faster) with a custom DATETIME_CONFIG.
You can apply it to the hosts, provided you know the host name ahead of time, and it's the host name that Splunk sees coming in before any TRANSFORMS are applied. Note that syslog sourcetypes usually TRANSFORM the host to whatever is in the event text, so what is indexed is not what Splunk sees coming in.