Skip to content

Configure home monitor app for Splunk

Jump to bottom
Kamilo Amir edited this page May 27, 2017 · 3 revisions

Configure home | monitor > app for Splunk

After you have installed and setup the home | monitor > app for Splunk, you might need to configure the source type manually or modify the transforms.conf file with your router's hostname. The app automatically looks at the router / modem / firewall's hostname and automatically apply the source type to the data coming in via the enabled UDP syslog.

Example Lab Network setup

(Please note, this is just an example, your network might vary.)

  1. Asus RT-66U Router name is asus.home.com (192.168.1.1)
  2. Splunk Server IP is 192.168.1.2
  3. Router sending data to Splunk via UDP port 514

source: asus.home.com sourcetype: syslog

When the Splunk server receives the data, it will look at the feed and then look at the configuration files (transforms.conf then the props.conf). Let's look at the first line in the props.conf file :

`[syslog]`
`TRANSFORMS-changesourcetype = asus, fios, link sys, mikro, netgear, openwrt, pfsense, quantum, sophos, skyhub, tomato`

This tells Splunk, if the source comes in as syslog, let's change the source type to one of the following types. It then references the transforms.conf file to make the appropriate change. Let's look at the asus entry in the transforms.conf :

`[asus]`
`# Make sure that this matches the hostname of your router, asus is just an example.`
`REGEX = asus`
`SOURCE_KEY = MetaData:Host`
`FORMAT = sourcetype::asus`
`DEST_KEY = MetaData:Sourcetype`

In the transforms.conf, Splunk will look at the host where the data is coming from and then try to match based on the REGEX entry. Since the name of our example router is asus.home.com, it will match the asus and automatically replace syslog with asus as the source type in Splunk.

If your device's hostname is different than the manufacture of your device then simply replace the REGEX = asus, with the hostname of your device. Make sure to make this change to the transforms.conf file in your local directory : $SPLUNK_HOME/etc/apps/homemonitor/local/transforms.conf

Next Step : Understanding Transforming Data

home | monitor > app for Splunk

Clone this wiki locally