Nope, I am using inputs.conf.

Hi @hiersdd,

my first hint is to use a syslogs server like rsyslog or syslog-ng so it receives syslogs also when Splunk is down.

You could also use the SC4S (https://splunkbase.splunk.com/app/4740) that's a syslog-ng and a Universal forwarder.

In this way you can easily manage inputs.

Anyway, did you tried to use an inpul like the following?

[udp://192.168.2.*:514]
connection_host = ip
index = checkpoint
sourcetype = syslog

Ciao.

Giuseppe

Thanks for the suggestion, I do admit and agree that the easiest and best option at this point is to just take the syslog-ng route but I was trying to figure out how to do this natively Splunk if possible.  It does not seem like the IP wildcard works in a TCP/UDP stanza, at least not in my 9.X UF:

ie this did not work:

[udp://192.168.2.*:514]
connection_host = ip
index = checkpoint
sourcetype = syslog

Additionally, I think I have figured out that the problem with using the acceptFrom as I originally showed was that Splunk will only process the first stanza of any particular PORT so there can't be a "fall back to the catchall" type logic if you are only using [udp://514] or [tcp://514]. You CAN have a generic port stanza and an IP specific stanza and that arrangement will be honored ie: 

[udp://192.168.1.1:514]

index=singularDeviceIndex

[udp://514]

index=catchallDeviceIndex

But I can't figure out how to make this work (or it just can't be done):

[udp://514]

acceptFrom=192.168.1.0/24

index=WhateversInThatSubnetOnly

[udp://514]

index=AnythingAndEverythingElse