Nice! This appears to solve the problem neatly for the test. Just make sure that when you define the TCP input in Splunk, that you specify the sourcetype=syslog (You can select it from the list.) This will ensure that Splunk extracts the host name from the syslog events, rather than using the host name of the rsyslog server.
... View more