Adding xauthuser to datamodel

jairjr · ‎10-02-2017

I tried to add the xauthuser field to the data model ftnt_fos and after that I get no results any more. Did I break it?

The xauthuser field carries the username that connected to the firewall using an ipsec tunnel, it's a critical field for the vpn dashboard.

jairjr · ‎10-02-2017

In the Splunk web ui I went to Settings/Datamodels, then opened the "Fortinet FOS Log" datamodel:

I disabled acceleration otherwise it does not allow me to edit the datamodel
In the "Firewall Logs" item I added a new extracted field named xauthuser with type string.
Enabled acceleration again.

Now when I go to any Fortigate pre-built dashboard I get "No results".

jerryzhao · ‎10-02-2017

what's the datamodel acceleration progress?

jairjr · ‎10-02-2017

93%, now the dashboards are working. I think I just didn't wait enough, thank you for your help.

jerryzhao · ‎10-02-2017

what file are you changing? the datamodel should be defined in SplunkAppForFortinet/default/data/models/ftnt_fos.json
what are your changes? please paste it here.
which dashboard query on vpn are you adding/customizing?

Adding xauthuser to datamodel

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor