Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trouble getting data into Fortigate app

rogerv
New Member
‎10-04-2012 07:25 AM

Hi

Running Fortigate 80c with v4.0 MR3. I've downloaded and installed the fortigate splunk app but i'm having trouble getting data into it. I can see data coming into splunk from the fortigate via manager>Apps>search. I seem to have 1 source called fortigate with data labelled in this as
host=machinename, sourcetype=fortigate,source=fortigate etc . This input increases so information is getting in but just doesn't seem to be indexed properly for the splunk fortigate app.

The inputs.conf is as follows:

[udp://514]
connection_host=int ip of fortigate
sourcetype=fortigate
no_appending_timestamp=true

I'm fairly new to splunk so i've probably got something not or misconfigured, can somebody help ?

0 Karma
Reply

saurabh_tek
Communicator
‎12-14-2015 02:22 AM

Hello Splunkers,

I am facing the same issue. I have the fortinet logs indexed into the single instance of Splunk and can see the events in the search as index=fortinet_data_index, but the fortinet app is not showing the dashboard. sometime it says 'waiting for data...' and on other instance it is showing "fgt_logs" in the dashboard.

I am using 'Fortinet FortiGate Add-On for Splunk' and 'Fortinet FortiGate App for Splunk' on both the machines.

Please suggest me why the logs are not detected in the dashboards of fortinet app when they are visible in search with source=fortinet.

any lead in this direction will be appreciable.

  • Saurabh
0 Karma
Reply

sirajnp
Path Finder
‎03-20-2017 07:22 AM

Splunkers,

I faced the same issue, however managed to resolve the issue.

0 Karma
Reply

hojinpk
New Member
‎02-06-2014 11:14 AM

Hi Maik, Did you solve the problem? I am suffering the same problem. help me, don't let me leave alone. Thank you in advance.

0 Karma
Reply

maikfischer
Engager
‎08-08-2013 02:25 AM

Hi,

it seems, that i am having the same trouble than rogerv (by the way: is it solved? how?).

logging from i.e. a fortigate 60c, v4.3, to splunk (i had to work with props.conf and transforms.conf, as there are multiple devices sending log to udp/514).

"search sourcetype=fortigate*" shows events, but only sourcetype=fortigate, no sourcetypes like fortigate_traffic, or something.

on the fortigates, "Enable CSV Format" is unchecked...

any ideas?

regards,

Maik

0 Karma
Reply

wesleyveloso
New Member
‎01-07-2013 06:42 AM

On the fortigate uncheck the box "Enable CSV Format"

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 09:24 AM

Hi, do you have an example of what's not working? If you just run a search for sourcetype=fortigate, what fields are displayed on the left hand side?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...