I have the 4.2 universal forwarder installed on an Active Directory DC, but have been unable to assign the fqdn as the host value for ActiveDirectory (splunk-admon) events. Setting host=fqdn in inputs.conf sets the correct host value for WinEventLog and WMI events, but not for ActiveDirectory. Tried setting host=fdqn in admon.conf but did not have any effect. Also tried the following transform but still had no effect...
$splunkhome/etc/system/local/props.conf
[ActiveDirectory]
TRANSFORMS-rowandc = rowandc-host
$splunkhome/etc/system/local/transforms.conf
[rowandc-host]
DEST_KEY = MetaData:Host
REGEX = dcName=(\w*\.rowanads\.rowan\.edu)
FORMAT = host::$1
Sample data...
03/18/2011 11:25:50.073
dcName=ads4.rowanads.rowan.edu
admonEventType=Deleted
objectGuid=removed
distinguishedName=removed
host=ADS4 sourcetype=ActiveDirectory source=ActiveDirectory
That should work but you will need to restart every Indexer first (which you probably did not do). I would also use something like this instead of what you are using:
REGEX = dcName=(.*)[\r\n]