When receiving syslog data via UDP:514, is there a way to specify the sourcetype based on the IP address of the device sending the data?
It looks like could possibly work for what you need. You can also look into installing syslog-ng, kiwi syslog, or rsyslog on your server. This would allow for more advanced filtering of data and you could send data to different directories as it was being collected.
From there you could have different monitoring stanzas to look at different directories of data and assign sourcetypes that way. That's probably the cleanest way to do it and the most recommended so that you won't have any data loss in the event that Splunk needs to be restarted or shuts down unexpectedly.
Interesting related discussion at - Sending certain logs from UDP port 514 to specific indexes