Home Monitor Transforming data
Here is the logic behind the Home Monitor app. All the data that is coming in on UDP port 514 is sourcetyped as 'syslog.' Data from the router (fios.homenetwork.com), firewall (pfsense.homenetwork.com) and switch (switch.homenetwork.com) all initially come in as syslog. The Home monitor app will look at the syslog data and try to determine if it can transform it into a source type that it can then match to a proper field extraction. If you look at the $SPLUNK_HOME/etc/apps/homemonitor/default/transforms.conf, you will see that each router model has a corresponding stanza. For example, the fios stanza reads :
[fios]
REGEX = fios
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::fios
DEST_KEY = MetaData:Sourcetype
What this is doing is using REGEX to match the host of the incoming source, if it sees the word fios in the hostname, then it will rename the sourcetype from syslog to fios. Let's assume that YOUR router is called HTBDA.myhomenetwork.com. All you need to do is create a new transforms.conf file in your $SPLUNK_HOME/etc/apps/homemonitor/local/ directory and put the following stanza into place :
[fios]
REGEX = HTBDA
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::fios
DEST_KEY = MetaData:Sourcetype
Splunk will automatically see the hostname HTBDA and know to transform the sourcetype from syslog to fios.