All Apps and Add-ons

Configuring TA: Why is Tomato change index not working?


Hello community,

first I have to say that I'm very,very new to Splunk. Getting to Splunk is because of a solution I found in the streamboard community about analysis of OSCam logs.
So I've installed Splunk on ubuntu and the OSCam-App from 'jotne' - works nice.

Now knowing what Splunk does I thought about to analyse my routers syslog as well and came up with the TA-Tomato app.
So I configured my router to send the syslog data to the UDP port like OSCam does. Data is stored in index = main; sourcetype = syslog - GREAT!

Now I came to the very easy things mentioned in the README:
- Please onboard your data as sourcetype=tomato
- This app also assumes your data will exist in index=tomato

This maybe is no issue for someone who is familiar with Splunk but for me it isn't.
After two days of reading, trying to understand and testing, I didn't get this to work.

I played around with some configuration I found here:
and ended with copy the files app.conf, props.conf, transforms.conf to the local directory. (is it right if a file exists in the local dir the one in default is ignored? - think so but dont know)

I insert:


TRANSFORMS-tomato = set_index_tomato,set_subtype_tomato


to the top of probs.conf

and this:


DEST_KEY = _MetaData:Index
FORMAT = tomato

SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::tomato
DEST_KEY = MetaData:Sourcetype


to the top of transforms.conf

Sourcetype will work but index is still 'main'.
So, what's wrong with my stupid idea.


Labels (2)
0 Karma
1 Solution


found a solution by myself

I've added this into the /system/local/inputs.conf

sourcetype = tomato
index = tomato

View solution in original post


found a solution by myself

I've added this into the /system/local/inputs.conf

sourcetype = tomato
index = tomato
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...