There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;

/mylogs/routers/%HOSTIP%/%hostIP%.log

From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:

[monitor:///mylogs/routers/*/*.log]
sourcetype = mysourcetype
host_segment = 3

Props.conf : http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Inputsconf

Thanks Joe for your time

i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=172.17.101.8
host=172.17.101.7
host=172.17.101.9
...

Thanks

You would have to deploy one inputs.conf per switch with one host setting each.

...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?

i am running a full splunk enterprise in a linux server that get logs from all switches.

can you please elaborate more on your first line i dont understand it.

thanks martin

i only see this inside my inputs.conf

...

[monitor: ///var/log/H3C/information]
disabled = false
sourcetype = syslog_wisdom

And i dont see any host value or do i have to just add the line like below after sourcetype...

host = 192.168.1.254

If it's not already there you can just add it, yes.