All Apps and Add-ons
Highlighted

How do I change index in the SonicWall Analytics app?

New Member

Can I changed the index in the SonicWall Analytics app from "index=sonicwall" to "index=sonicwallfw" ? When I tried to change it from data input it says that the port is already been used. I am receiving the logs of the firewall and indexing them by the name of sonicwallfw but the app need the index named sonicwall. So how to link the app to index sonicwall_fw instead of index sonicwall ?

When I tried to change it from data inputs I get an error massage saying that the port is already been used.

0 Karma
Highlighted

Re: How do I change index in the SonicWall Analytics app?

SplunkTrust
SplunkTrust

check if the apps has eventtypes or macros that refer to index = sonicwall.
you can go to settings -> all configurations -> pick the sonicwall app only -> inspect the eventtypes / macros.
verify that the saved searches are relied on those
modify the relevant macros and eventtypes
good luck

0 Karma
Highlighted

Re: How do I change index in the SonicWall Analytics app?

Splunk Employee
Splunk Employee

Yes it can. However, I took a quick look at that app, and they've embedded index=sonicwall into about ~20 files, including dashboard .xml and .js files. Here are the two popular options:
1. Make your own copy of the app, customizing the various configs with your custom index name. It's all text files, so it's actually pretty quick. But, once you customize the app any automatic upgrades to the app will not work for you. In fact, if you auto-upgrade by accident, it'll break your customized app until you've gone back and fixed everything.
2. Create the 'sonicwall' index as they recommend, and write your data there.

0 Karma