Sorry for the vagueness; the imprecise wording is intentional due to the nature of the environment I work.

The network devices' logs get sent to a syslog server. 
The syslog server writes all the logs to file in a specific path.

On our Server Class server, the Data Input settings is configured to read all the files from that path (its a unique enough path) and sends it to our "network_devices" index.  

So the data is being sent to the correct index, but a good portion of the logs are sent to the sourcetype=syslog, rather than the TA's sourcetype.

That is where I am stuck. 

OK. So if you split your events received by syslog into separate files based on the source device, you should configure your monitor inputs to pick different kinds of files with specific sourcetypes so you don't ingest the whole big directory with all your "network" logs but instead fine tune it with subsets of the files pertaining to specific devices.

If you're saving all syslog-received events to one big file - that's way harder because you can only associate one sourcetype for a given monitor input. You might try to later dynamically overwrite it during ingestion process using props and transforms but this will be way way harder than doing the splittin on the syslog-receiver level.

I see your point. 
It’s not necessarily 1 big file. 
The files are do share a base name, but is then automatically appended with the Unix time in the file name. 

But to your point, I could reach out to the SysAdmins if they could have the file names be associated by network device family, and then append with the Unix time.  Or create a sub directory in that path named for each network device family. 

 A little more granular, but I’m not sure what they can do on their end.