I still think you're making things harder for yourself.  The DS should be able to deploy an app with inputs.conf stanzas for each application.  Or are all applications writing to the same file?  That would explain the requirement, but having such a file would seem to be a security concern as much as having a common index.

I believe index=if... needs to be index:=if... in f5_waf-route_to_index

I totally agree with others that you are trying to shoot you on foot.

Try to keep things as simple as possible.

Why you don't want to use Your DS with correctly defined classes? Just put index=xxxx on those and deploy those into correct nodes. It's much easier to create and debug those. It's also much lighter and faster on indexing phase.

r. Ismo

Sorry if this is troubling everyone... I am new to Splunk admin and still learning..

We have network logs coming and it will be collected via dedicated syslog server (configuring it using FQDN) and it will be forwarded to our indexers via UF installed on that server. 

Currently we have deployment server which forwarded all the logs to indexer via created index and then in cluster manager we are writing props.conf and transforms.conf in such a way that specific FQDN go to specific indexname which is already mentioned in the logs ( we will give them the indexname).

Where else can we right this rule I mean props and transforms? Can we write it in dep server?

Can we do this anyway easier and faster? If yes please help me with the exact approach anyone...it will be really helpful for me...

I'm sure the syslog server has the ability to segregate traffic by a number of factors - including IP address and perhaps FQDN.  The segregated data should be written to separate files to monitored by separate inputs.conf stanzas.  Each monitored file can have a different destination index.

Where I need to give this inputs.conf? Are you telling about log paths what we write in UF?

inputs.conf is part of the Splunk Universal Forwarder configuration and is sent out by the Splunk Deployment Server.

I don't understand the second question.  The UF does not write to log paths, except for its own (internal) logs.

The segregated data should be written to separate files to monitored by separate inputs.conf stanzas ----> where I need to give this inputs.conf? In deployment server? Because in UF deploymentclient.conf will be given right? 

how to get data from particular FQDN from syslog server to indexer finally? What conf should be given? Where to declare index for that? Please be specific please 

@Karthikeya didn't got your question at all