first I have to say that I'm very,very new to Splunk. Getting to Splunk is because of a solution I found in the streamboard community about analysis of OSCam logs.
So I've installed Splunk on ubuntu and the OSCam-App from 'jotne' - works nice.
Now knowing what Splunk does I thought about to analyse my routers syslog as well and came up with the TA-Tomato app.
So I configured my router to send the syslog data to the UDP port like OSCam does. Data is stored in index = main; sourcetype = syslog - GREAT!
Now I came to the very easy things mentioned in the README:
- Please onboard your data as sourcetype=tomato
- This app also assumes your data will exist in index=tomato
This maybe is no issue for someone who is familiar with Splunk but for me it isn't.
After two days of reading, trying to understand and testing, I didn't get this to work.
I played around with some configuration I found here: https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-get-working-with-Tomato/m-p/223350
and ended with copy the files app.conf, props.conf, transforms.conf to the local directory. (is it right if a file exists in the local dir the one in default is ignored? - think so but dont know)
[host::192.168.0.1] TRANSFORMS-tomato = set_index_tomato,set_subtype_tomato
to the top of probs.conf
[set_index_tomato} REGEX = . DEST_KEY = _MetaData:Index FORMAT = tomato [set_subtype_tomato] REGEX = 192.168.0.1 SOURCE_KEY = MetaData:Host FORMAT = sourcetype::tomato DEST_KEY = MetaData:Sourcetype
to the top of transforms.conf
Sourcetype will work but index is still 'main'.
So, what's wrong with my stupid idea.