Try this I use it for multi device inputs that go to the same port. Put it in the ect\system\local directory, should work for both TCP and UDP
input.conf
#UDP:514 multidevise input
[udp://514]
connection_host = ip
index = syslog
props.conf
#UPD514 device split
[source::udp:514]
MAX_TIMESTAMP_LOOKAHEAD = 20
NO_BINARY_CHECK = 1
TRANSFORMS-changesourcetype = WTI_st, as400FISERV_st, as400COMPASS_st, CiscoBrRt_st, Cisco_IronPort_St
transforms.conf
#Ironport Email
[Cisco-IronPort_st]
REGEX = 111\.x\.x\.x|111\.x\.x\.x
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::Cisco-IronPort
DEST_KEY = MetaData:Sourcetype
#bryans power management equipment
[WTI_st]
REGEX = 111\.x\.x\.x|111\.x\.x\.x
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::WTI
DEST_KEY = MetaData:Sourcetype
[as400FISERV_st]
REGEX = 111\.x\.x\.x
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::as400FISERV
DEST_KEY = MetaData:Sourcetype
... View more