https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236601#M99063 <P>It looks like could possibly work for what you need. You can also look into installing syslog-ng, kiwi syslog, or rsyslog on your server. This would allow for more advanced filtering of data and you could send data to different directories as it was being collected.</P> <P>From there you could have different monitoring stanzas to look at different directories of data and assign sourcetypes that way. That's probably the cleanest way to do it and the most recommended so that you won't have any data loss in the event that Splunk needs to be restarted or shuts down unexpectedly. </P> Fri, 01 Jul 2016 18:44:19 GMT ryanoconnor 2016-07-01T18:44:19Z https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236599#M99061 <P>When receiving syslog data via UDP:514, is there a way to specify the sourcetype based on the IP address of the device sending the data?</P> Fri, 01 Jul 2016 17:42:09 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236599#M99061 timmy13 2016-07-01T17:42:09Z https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236600#M99062 <P>Interesting related discussion at - <A href="https://answers.splunk.com/answers/38547/sending-certain-logs-from-udp-port-514-to-specific-indexes.html">Sending certain logs from UDP port 514 to specific indexes</A></P> Fri, 01 Jul 2016 17:52:33 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236600#M99062 ddrillic 2016-07-01T17:52:33Z https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236601#M99063 <P>It looks like could possibly work for what you need. You can also look into installing syslog-ng, kiwi syslog, or rsyslog on your server. This would allow for more advanced filtering of data and you could send data to different directories as it was being collected.</P> <P>From there you could have different monitoring stanzas to look at different directories of data and assign sourcetypes that way. That's probably the cleanest way to do it and the most recommended so that you won't have any data loss in the event that Splunk needs to be restarted or shuts down unexpectedly. </P> Fri, 01 Jul 2016 18:44:19 GMT https://community.splunk.com/t5/Getting-Data-In/Sourcetypes-on-UDP-syslog-data/m-p/236601#M99063 ryanoconnor 2016-07-01T18:44:19Z