In the case where there are no digits, you have to declare them as optional in your regex, maybe like this ndgracs(\d+)?.dom1.dom2.com

In props, I have both hosts stanzas going to the same stanza in transforms

Well, I tried it, but I'm getting the same results. It finds ndgracs01 and puts it in the right index, but ndgracs goes to the default.

ndgracs\d+\.dom1\.dom2\.com should do the job, although it would need testing 🙂 I can't recall how exacting it is at index time, perhaps ndgracs(\d+\.|\.)dom1\.dom2\.com

My RegEx is a little weak. So if my 2 hostnames were ndgracs.dom1.dom2.com and ndgracs01.dom1.dom2.com, how would the RegEx look?

Well this is a rex statement so you'll want to use something like \d+ which means match a number and the plus means keep consuming the characters until the number ends

I used a * and it didn't work. You're saying to use +?

how about if you just create the one stanza to rule them all? Using a regex like temp\d+.domain1.domain2.com?

Yes. The whole reason I am doing these hosts this way is because it is coming from UDP:514, and these devices can't use an alternate port, which is how I normally direct my different sources to different indexes.

Are the both arriving via the same source?

Thanks for noticing!

No, that was a mistake in my editing for this post. They are both the same ending.

this might be a silly question but is it just a mistake where in props they are both .com and in transforms one is .gov?

This might not be a regex issue. Try renaming the second props stanza as the following:

[host::temp001.domain1.domain2.com]
TRANSFORMS-idx_routing2 = temp001_idx_routing