I hope your question is related to Splunk indexing and NOT configuration for syslog?
some of the practices we follow

• Ensure syslog logs in a consistent directory structure. So the template should be fine tuned to create a good hierarchy structure. eg /data/syslog/$port/$ip-host/$facility.$priority.log
• Ensure logrotate is enabled to rotate these logs after a time or size. Ensure delaycompress option is enabled
• Based on naming convention or IP ranges, your Splunk inputs should collect and assign correct sourcetype at collection itself (eg: /data/syslog/514/my-cisco-device/kern.info.log should be assigned the relevant sourcetype, source, index, host at collection time)
• The index and indextime fields should be already present in your indexes/props for correct data indexing. (eg create mycompany_network index for network-data and props should align to the CIM model fields if possible)
• if you use multiple syslog servers, ensure no duplication happens on the data
• our experience shows with Splunk recommended indexers x 4, we can collect and index about your number without any impact to searches.