All Apps and Add-ons

Splunk For U-verse Home modem: How can I extract additional fields?

cyborgx
New Member

Hi,

So finally I was able to make my U-Verse modem feed the data in to my Splunk AT&T U-Verse add-on but only what I'm getting is "All U-verse Events" The modem model is 5268AC. Is there anything else I can do to make the other feeds to work? Such as

  • U-verse Eventtypes,
  • Firewall Events
  • ICMP Events
  • Allowed Inbound traffic (Pinhole)

etc....

Thanks

0 Karma
1 Solution

japger_splunk
Splunk Employee
Splunk Employee

Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml).

View solution in original post

0 Karma

cyborgx
New Member

Thanks for the answer I will try and see what i can do with this information.

0 Karma

japger_splunk
Splunk Employee
Splunk Employee

Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml).

View solution in original post

0 Karma

cyborgx
New Member

Thanks for the answer so basically I will have to take the main feed and try to manually digest some of the information correct?

0 Karma

japger_splunk
Splunk Employee
Splunk Employee

Unfortunately, the number of log formats and modems from U-Verse makes it tough to come up with default field extractions outside of the 2 modems we initially tested on. I do not have access to U-Verse log files anymore and this app needs to be re-written to be Common Information Model (CIM) compliant. You will need to edit eventypes.conf such that the [u-verse fw] section identifies the firewall related event correctly. You will also need to look at the props.conf to get the field extractions (this line: EXTRACT-fw) in place. If I were able to keep this app current, I would align it to this: http://docs.splunk.com/Documentation/CIM/4.9.0/User/NetworkTraffic and make sure the events are tagged (network and communicate) in addition to aligning with field names and their possible field values.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!