First think you'll need to do is modify the props.conf in your $SPLUNK_HOME/etc/apps/homemonitor/local/ directory. Here is the entry you should use:
[linksys]DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
pulldown_type = true
EXTRACT-src_ip,dest_ip,linksys_src_port,action = ^(?P<src_ip>[^ ]+) to (?P<dest_ip>[^:]+):(?P<linksys_src_port>[a-z]+) is (?P<action>.+)
LOOKUP-linksys_src_port_lookup = linksys_src_port_lookup linksys_src_port OUTPUTNEW src_port
Once you've modified that file, then you'll need to make another change to your transforms.conf in the same location $SPLUNK_HOME/etc/apps/homemonitor/local/ . Here is the entry you'll need to make:
This will require that either you change the line REGEX = linksys to REGEX = your router's hostname.[linksys]
# Make sure that this matches the hostname of your router, linksys is just an example.
REGEX = linksys
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::linksys
DEST_KEY = MetaData:Sourcetype
Lastly, you'll need to make some lookup files that will help get the dashboards populated with data from linksys routers.
First, modify the existing lookup file "action_lookup.csv" and add the following to the end of that file:
blocked, BLOCKHere's the last lookup file you'll need to populate the dashboards. This basically changes the protocol (https, http, etc.) to src_port (443, 80..). Here's the lookup file (linksys_src_port.csv) :
Once you've added it, you can put that into your app and make it into an automatic lookup.