I've had a largely un-configured home Splunk install with various data sources (Cisco ASA, dd-wrt, and others) feeding it data. I had configured my dd-wrt syslog as a different UDP input to keep it separate from my other data inputs. Now, I'm starting to check out various apps and saw the Tomato/DD-WRT/OpenWRT CIM app and wanted to check it out.
I'm not seeing any of the dashboards or other queries populate but when I run a "search", I'm seeing my data still. I note that the App install states:
"**Please onboard initial data as sourcetype::syslog1 in order to drive all other syslog transforms."
I've tried renaming my dd-wrt source and changing the sourcetype to syslog1 (and also just syslog) but it doesn't appear to work. I assume I'm doing something wrong but am kind of at a loss for where to start. I've also looked to see if there's some place to configure the App to point at the right data source but I'm not seeing any obvious solution there.
Is there any way to configure my data source and/or the App to use my existing dd-wrt data without starting from scratch?
hi. I might be way too late for this, maybe you've already gotten it working or have moved on to other things. but what sourcetype does your router data show as after onboarding it as syslog1?
does anything get re sourcetyped?
It's possible some of the initial regexes need to be written a bit more general. I've since tested this app on Advanced Tomato, and DD-wrt and most of it works well out of the box, but that may be based on the way I syslog the events first, which could write files differently than yours.
I know many dd-wrt builds have varying capacities to syslog, some require odd setting changes like filter ident before they actually syslog all data. Some only do firewall or only system and not both at the same time. Newer bigger routers with more memory seem to be more capable than older ones, especially when doing full packet monitoring.
I am slowly working on rewriting this TA based on what i've learned since first releasing the initial builds
As the dashboards are driven mainly by eventtypes, you may need to make a copy of \default\eventtypes.conf to \local\eventtypes.conf and add 'index=<your events="">' to the begining of each eventtype search query.