All Apps and Add-ons

How do I change index in the SonicWall Analytics app?

faydia
New Member

Can I changed the index in the SonicWall Analytics app from "index=sonicwall" to "index=sonicwall_fw" ? When I tried to change it from data input it says that the port is already been used. I am receiving the logs of the firewall and indexing them by the name of sonicwall_fw but the app need the index named sonicwall. So how to link the app to index sonicwall_fw instead of index sonicwall ?

When I tried to change it from data inputs I get an error massage saying that the port is already been used.

0 Karma

ekost
Splunk Employee
Splunk Employee

Yes it can. However, I took a quick look at that app, and they've embedded index=sonicwall into about ~20 files, including dashboard .xml and .js files. Here are the two popular options:
1. Make your own copy of the app, customizing the various configs with your custom index name. It's all text files, so it's actually pretty quick. But, once you customize the app any automatic upgrades to the app will not work for you. In fact, if you auto-upgrade by accident, it'll break your customized app until you've gone back and fixed everything.
2. Create the 'sonicwall' index as they recommend, and write your data there.

0 Karma

adonio
Ultra Champion

check if the apps has eventtypes or macros that refer to index = sonicwall.
you can go to settings -> all configurations -> pick the sonicwall app only -> inspect the eventtypes / macros.
verify that the saved searches are relied on those
modify the relevant macros and eventtypes
good luck

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...