My Splunk server is listening to UDP port 514 for syslog information. How can I route data to a given index based on the originating host? For example, the network-related devices need to be routed to the index designated for those devices while security devices need to have their dat routed to that index. Thanks.
You might try the approach listed here:
http://answers.splunk.com/questions/1958/cant-route-forwarded-data-to-different-index
But, a better plan might be to set up multiple UDP ports and have each device send to an index-specific port. In the long run that might scale better for you.