I like this idea but I've always inserted an extra step.  Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs.  Helps to avoid any issues with wildcards or regex in the log path and filename.

To each their own and whatever works is always the best solution.

That's only half of the problem.

The other half is that it can as well be completely externally submitted data - with HEC input you can set the source to anything you want (actually even for monitor inputs you could set the source to anything you want but it's rather unlikely that someone deliberately rewrites the source field to mislead you as to the real origin of the data) but stil have one HEC source.

That's a valid point about HEC events being able to specify any source value, however, that would not be associated with an app and so would not apply to the OP's request.

It's possible a transform can be used to change the source name to something else.  Those can be found by searching the transforms.conf file on an indexer (or on the Cluster Manager).

There can be many things done with data within Splunk ingestion process so the general "how to find XXX with one search" question response should usually be appended with a big warning "if your case is somewhat unusual, this might not work at all". I think I could even write props/transforms to rewrite each event's source to a random value (and route to a random index 😁). Try finding where such event came from unless you _know_ it.