I have multiple systems reporting over UDP:514. I want to separate the iron port email, Cisco ASA's, iseries as400, and PaloAlto firewall feeds at the global level before sending the data to the separate apps. I currently have this stanza in my etcsystemlocalinputs file
[udp://514] connection_host = ip
index = index_syslog
sourcetype = syslog
I know I need to write a stanza in the props.conf to separate out the individual sources by ip address but am not sure how to do it.