Hello community,

first I have to say that I'm very,very new to Splunk. Getting to Splunk is because of a solution I found in the streamboard community about analysis of OSCam logs.
So I've installed Splunk on ubuntu and the OSCam-App from 'jotne' - works nice.

Now knowing what Splunk does I thought about to analyse my routers syslog as well and came up with the TA-Tomato app.
So I configured my router to send the syslog data to the UDP port like OSCam does. Data is stored in index = main; sourcetype = syslog - GREAT!

Now I came to the very easy things mentioned in the README:
- Please onboard your data as sourcetype=tomato
- This app also assumes your data will exist in index=tomato

This maybe is no issue for someone who is familiar with Splunk but for me it isn't.
After two days of reading, trying to understand and testing, I didn't get this to work.

I played around with some configuration I found here: https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-get-working-with-Tomato/m-p/223350
and ended with copy the files app.conf, props.conf, transforms.conf to the local directory. (is it right if a file exists in the local dir the one in default is ignored? - think so but dont know)

I insert:

[host::192.168.0.1]
TRANSFORMS-tomato = set_index_tomato,set_subtype_tomato

to the top of probs.conf

and this:

[set_index_tomato}
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = tomato

[set_subtype_tomato]
REGEX = 192.168.0.1
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::tomato
DEST_KEY = MetaData:Sourcetype

to the top of transforms.conf

Sourcetype will work but index is still 'main'.
So, what's wrong with my stupid idea.

Thanks