amiracle
commented
4 years ago I’m going to be making a modification to remove the index requirement and just use the main index. I’ll create a macro for the compatibility with older app deployments.
Open tomclewes opened 5 years ago
amiracle
commented
4 years ago I’m going to be making a modification to remove the index requirement and just use the main index. I’ll create a macro for the compatibility with older app deployments.
gawainXX
commented
4 years ago I've been working on something identical to what you describe today. After digging into it I found that I needed to do a couple of things as the fields and values being requested by the dashboard objects differed from the logs.
I've then seen data begin populating after tweaking these search values and saving.
here is an example of me fixing the inbound event panel. https://imgur.com/a/YurLqfG
As for why the index aren't showing up in your search, I think that you'd have to specify index="homemonitor" in your query as only "main" seems to show up in searches that don't specify an index. I "Think" this is expected behavior for Splunk but I'm pretty new to the product.
So I have been trying to setup and play around with pfsense and homemonitor in Splunk.
Pfsense (10.0.1.254) is up and running and sending it's logs on port port 514 to Splunk (10.0.1.107). However, having installed homemonitor the data does not seem to be populating. I have looked up various videos and followed step by step but it does not seem to populate the data when the index is set to homemonitor.
When I bypass homemonitor and set the index to default, the logs from my pfsense box come through which proves that the logs are reaching my pfsense box but are falling short when being fed into homemonitor.