topic Configuring TA: Why is Tomato change index not working? in All Apps and Add-ons https://community.splunk.com/t5/All-Apps-and-Add-ons/Configuring-TA-Why-is-Tomato-change-index-not-working/m-p/585332#M76106 <P>Hello community,</P> <P>first I have to say that I'm very,very new to Splunk. Getting to Splunk is because of a solution I found in the streamboard community about analysis of OSCam logs.<BR />So I've installed Splunk on ubuntu and the OSCam-App from 'jotne' - works nice.</P> <P>Now knowing what Splunk does I thought about to analyse my routers syslog as well and came up with the TA-Tomato app.<BR />So I configured my router to send the syslog data to the UDP port like OSCam does. Data is stored in index = main; sourcetype = syslog - GREAT!</P> <P>Now I came to the very easy things mentioned in the README:<BR />- Please onboard your data as sourcetype=tomato<BR />- This app also assumes your data will exist in index=tomato</P> <P>This maybe is no issue for someone who is familiar with Splunk but for me it isn't.<BR />After two days of reading, trying to understand and testing, I didn't get this to work.</P> <P>I played around with some configuration I found here: <A href="https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-get-working-with-Tomato/m-p/223350" target="_blank" rel="noopener">https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-get-working-with-Tomato/m-p/223350</A><BR />and ended with copy the files app.conf, props.conf, transforms.conf to the local directory. (is it right if a file exists in the local dir the one in default is ignored? - think so but dont know)</P> <P>I insert:</P> <P>&nbsp;</P> <LI-CODE lang="markup">[host::192.168.0.1] TRANSFORMS-tomato = set_index_tomato,set_subtype_tomato</LI-CODE> <P>&nbsp;</P> <P>to the top of probs.conf</P> <P>and this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">[set_index_tomato} REGEX = . DEST_KEY = _MetaData:Index FORMAT = tomato [set_subtype_tomato] REGEX = 192.168.0.1 SOURCE_KEY = MetaData:Host FORMAT = sourcetype::tomato DEST_KEY = MetaData:Sourcetype</LI-CODE> <P>&nbsp;</P> <P>to the top of transforms.conf</P> <P>Sourcetype will work but index is still 'main'.<BR />So, what's wrong with my stupid idea.</P> <P>Thanks</P> Wed, 16 Feb 2022 19:06:05 GMT WollyCGN 2022-02-16T19:06:05Z Configuring TA: Why is Tomato change index not working? https://community.splunk.com/t5/All-Apps-and-Add-ons/Configuring-TA-Why-is-Tomato-change-index-not-working/m-p/585332#M76106 <P>Hello community,</P> <P>first I have to say that I'm very,very new to Splunk. Getting to Splunk is because of a solution I found in the streamboard community about analysis of OSCam logs.<BR />So I've installed Splunk on ubuntu and the OSCam-App from 'jotne' - works nice.</P> <P>Now knowing what Splunk does I thought about to analyse my routers syslog as well and came up with the TA-Tomato app.<BR />So I configured my router to send the syslog data to the UDP port like OSCam does. Data is stored in index = main; sourcetype = syslog - GREAT!</P> <P>Now I came to the very easy things mentioned in the README:<BR />- Please onboard your data as sourcetype=tomato<BR />- This app also assumes your data will exist in index=tomato</P> <P>This maybe is no issue for someone who is familiar with Splunk but for me it isn't.<BR />After two days of reading, trying to understand and testing, I didn't get this to work.</P> <P>I played around with some configuration I found here: <A href="https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-get-working-with-Tomato/m-p/223350" target="_blank" rel="noopener">https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-get-working-with-Tomato/m-p/223350</A><BR />and ended with copy the files app.conf, props.conf, transforms.conf to the local directory. (is it right if a file exists in the local dir the one in default is ignored? - think so but dont know)</P> <P>I insert:</P> <P>&nbsp;</P> <LI-CODE lang="markup">[host::192.168.0.1] TRANSFORMS-tomato = set_index_tomato,set_subtype_tomato</LI-CODE> <P>&nbsp;</P> <P>to the top of probs.conf</P> <P>and this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">[set_index_tomato} REGEX = . DEST_KEY = _MetaData:Index FORMAT = tomato [set_subtype_tomato] REGEX = 192.168.0.1 SOURCE_KEY = MetaData:Host FORMAT = sourcetype::tomato DEST_KEY = MetaData:Sourcetype</LI-CODE> <P>&nbsp;</P> <P>to the top of transforms.conf</P> <P>Sourcetype will work but index is still 'main'.<BR />So, what's wrong with my stupid idea.</P> <P>Thanks</P> Wed, 16 Feb 2022 19:06:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Configuring-TA-Why-is-Tomato-change-index-not-working/m-p/585332#M76106 WollyCGN 2022-02-16T19:06:05Z Re: Configuring TA: Why is Tomato change index not working? https://community.splunk.com/t5/All-Apps-and-Add-ons/Configuring-TA-Why-is-Tomato-change-index-not-working/m-p/585607#M76121 <P>found a solution by myself</P><P>I've added this into the /system/local/inputs.conf</P><LI-CODE lang="markup">[udp://192.168.0.1:514] sourcetype = tomato index = tomato</LI-CODE> Thu, 17 Feb 2022 16:38:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Configuring-TA-Why-is-Tomato-change-index-not-working/m-p/585607#M76121 WollyCGN 2022-02-17T16:38:59Z