All Apps and Add-ons

How do I get dd-wrt configured with the Tomato App?

New Member

I've had a largely un-configured home Splunk install with various data sources (Cisco ASA, dd-wrt, and others) feeding it data. I had configured my dd-wrt syslog as a different UDP input to keep it separate from my other data inputs. Now, I'm starting to check out various apps and saw the Tomato/DD-WRT/OpenWRT CIM app and wanted to check it out.

I'm not seeing any of the dashboards or other queries populate but when I run a "search", I'm seeing my data still. I note that the App install states:
"**Please onboard initial data as sourcetype::syslog1 in order to drive all other syslog transforms."

I've tried renaming my dd-wrt source and changing the sourcetype to syslog1 (and also just syslog) but it doesn't appear to work. I assume I'm doing something wrong but am kind of at a loss for where to start. I've also looked to see if there's some place to configure the App to point at the right data source but I'm not seeing any obvious solution there.

Is there any way to configure my data source and/or the App to use my existing dd-wrt data without starting from scratch?

0 Karma


hi. I might be way too late for this, maybe you've already gotten it working or have moved on to other things. but what sourcetype does your router data show as after onboarding it as syslog1?

does anything get re sourcetyped?

It's possible some of the initial regexes need to be written a bit more general. I've since tested this app on Advanced Tomato, and DD-wrt and most of it works well out of the box, but that may be based on the way I syslog the events first, which could write files differently than yours.

I know many dd-wrt builds have varying capacities to syslog, some require odd setting changes like filter ident before they actually syslog all data. Some only do firewall or only system and not both at the same time. Newer bigger routers with more memory seem to be more capable than older ones, especially when doing full packet monitoring.

I am slowly working on rewriting this TA based on what i've learned since first releasing the initial builds

0 Karma


What does it mean index= your events Could you display yours? Or is it index=your index

0 Karma


Did you follow the app instruction? It says:

As the dashboards are driven mainly by eventtypes, you may need to make a copy of \default\eventtypes.conf to \local\eventtypes.conf and add 'index=<your events="">' to the begining of each eventtype search query.
0 Karma


copy \default\eventtypes.conf to \local\eventtypes.conf within the TA-Tomato directory, then update the searches with the correct index name where your open router data is

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...