Lots of the stuff you are missing some rules.
That is some my fault, that data i depended rules, that need names.
Click on the magnifier glass under the graph and se where data is coming from.
Live logs need a rule with correct name, look at search. (third line)
| search dest_port=*
| lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host
| iplocation src_ip
| eval City=if(isnull(City) OR City="", "Unknown", City)
,src_host=if(isnull(src_host) OR src_host="", src_ip, src_host)
| geostats globallimit=0 count by info
Live log need this as the last FW rules.
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix=FW_Drop_all_from_WAN
Needs SNMP working. (Splunk asks using SNMP to get data)
Seems that some has change in MikroTik logging, so remove logging rules ans change to
add action=remote prefix=MikroTik topics=!debug,!snmp
DHCP pool information
Need SNMP to work
MikroTik Remote connection.
This should show VPN, but some has change in the logging.
from the section "3. VPN logged in ok"
SSH is explained in the frist post.
Get data from MikroTik with SSH (does only work with Linux Splunk version)
_ ... key_login)
Add the private key to the folder: MikroTik\bin
Change script in MikroTik\bin to use correct key and IP