Hi,
It is not as easy as changing something in inputs.conf. While you can specify under any input stanza something like index=test, which will then route any events received on that input to index=test, in your case you only have one input (udp:514) for two data-sources so you'll need a different method. (As an aside, the inputs.conf you posted does not contain the udp 514 listener. There must be another inputs.conf, somewhere in $SPLUNK_HOME/etc/apps//local - likely in $SPLUNK_HOME/etc/apps/launcher/local. These get merged at run-time by Splunk. It's like this so apps and add-ons can supply their own inputs.)
Here are a few options, in order of level of effort:
1) Configure either Aruba or Checkpoint to send syslog to a different port. Create two inputs and set the index per input.
2) Use Splunk props.conf and transforms.conf configuration files to set the index per-event. It is very similar to the example here: http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Advancedsourcetypeoverrides, however you are updating a different DEST_KEY. You can also reference http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Setupmultipleindexes#Route_specific_events_to_a_different_index
3) The best practice for syslog is to setup a separate syslog server (or even a syslog process directly on the Splunk indexer, if your environment is small) instead of sending directly to a Splunk network input. You can just google "Splunk syslog server" and you'll see why and how. For instance: https://answers.splunk.com/answers/28680/universal-forwarder-vs-dedicated-rsyslog-syslog-ng-servers-to-forward-syslog-to-splunk-indexer.html. You then use syslog to split Aruba hosts and Checkpoint hosts into separate files, and then Splunk reads each file as an individual input with it's own index specification. While this is more complexity and requires you to learn syslog, it is really the most robust solution.
Good luck!
... View more
