I am new to Splunk.
After a few hours research, I change my UDP 514 (Syslog) index from default to madder_index.
Btw, I don't have sourcetype=watchguard:firebox:syslog, so I also change it to sourcetype=syslog.
WatchGuard App is Working for me now, but not WatchGuard add-on.
... View more