All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk For U-verse Home modem: How can I extract additional fields?

cyborgx
New Member
‎10-22-2017 08:18 AM

Hi,

So finally I was able to make my U-Verse modem feed the data in to my Splunk AT&T U-Verse add-on but only what I'm getting is "All U-verse Events" The modem model is 5268AC. Is there anything else I can do to make the other feeds to work? Such as

  • U-verse Eventtypes,
  • Firewall Events
  • ICMP Events
  • Allowed Inbound traffic (Pinhole)

etc....

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

japger_splunk
Splunk Employee
Splunk Employee
‎10-24-2017 07:14 AM

Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

cyborgx
New Member
‎10-24-2017 09:05 PM

Thanks for the answer I will try and see what i can do with this information.

0 Karma
Reply
Solved! Jump to solution
Solution

japger_splunk
Splunk Employee
Splunk Employee
‎10-24-2017 07:14 AM

Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml).

0 Karma
Reply
Solved! Jump to solution

cyborgx
New Member
‎10-23-2017 08:13 PM

Thanks for the answer so basically I will have to take the main feed and try to manually digest some of the information correct?

0 Karma
Reply
Solved! Jump to solution

japger_splunk
Splunk Employee
Splunk Employee
‎10-23-2017 10:05 AM

Unfortunately, the number of log formats and modems from U-Verse makes it tough to come up with default field extractions outside of the 2 modems we initially tested on. I do not have access to U-Verse log files anymore and this app needs to be re-written to be Common Information Model (CIM) compliant. You will need to edit eventypes.conf such that the [u-verse fw] section identifies the firewall related event correctly. You will also need to look at the props.conf to get the field extractions (this line: EXTRACT-fw) in place. If I were able to keep this app current, I would align it to this: http://docs.splunk.com/Documentation/CIM/4.9.0/User/NetworkTraffic and make sure the events are tagged (network and communicate) in addition to aligning with field names and their possible field values.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...