All Apps and Add-ons

Splunk For U-verse Home modem: How can I extract additional fields?

cyborgx
New Member

Hi,

So finally I was able to make my U-Verse modem feed the data in to my Splunk AT&T U-Verse add-on but only what I'm getting is "All U-verse Events" The modem model is 5268AC. Is there anything else I can do to make the other feeds to work? Such as

  • U-verse Eventtypes,
  • Firewall Events
  • ICMP Events
  • Allowed Inbound traffic (Pinhole)

etc....

Thanks

0 Karma
1 Solution

japger_splunk
Splunk Employee
Splunk Employee

Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml).

View solution in original post

0 Karma

cyborgx
New Member

Thanks for the answer I will try and see what i can do with this information.

0 Karma

japger_splunk
Splunk Employee
Splunk Employee

Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml).

0 Karma

cyborgx
New Member

Thanks for the answer so basically I will have to take the main feed and try to manually digest some of the information correct?

0 Karma

japger_splunk
Splunk Employee
Splunk Employee

Unfortunately, the number of log formats and modems from U-Verse makes it tough to come up with default field extractions outside of the 2 modems we initially tested on. I do not have access to U-Verse log files anymore and this app needs to be re-written to be Common Information Model (CIM) compliant. You will need to edit eventypes.conf such that the [u-verse fw] section identifies the firewall related event correctly. You will also need to look at the props.conf to get the field extractions (this line: EXTRACT-fw) in place. If I were able to keep this app current, I would align it to this: http://docs.splunk.com/Documentation/CIM/4.9.0/User/NetworkTraffic and make sure the events are tagged (network and communicate) in addition to aligning with field names and their possible field values.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...