I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route logs coming in over port 514 from two particular IP addresses to a specific index.
I would like anything with IP
192.168.1.2 to get indexed in an index called "web-gateway" and I do not want this configuration to affect anything else coming through via port 514.
From my understanding, I can do this using inputs.conf. I have read through the documentation for inputs.conf and the only thing in relation to IPs I can see in there is to blacklist or whitelist.
Can somebody advise how I can do this please?