2018: Fortinet Fortigate Add-on for Splunk: When I...

jasonf3000 · ‎05-02-2018

Hi -
I've installed the Fortinet Fortigate Add-on (splunkbase app id: 2846) https://splunkbase.splunk.com/app/2846/ Add-on, and it shows a dashboard - however, I'm not able to see any pre-built dashboard.

I do have data coming in, and can search, but was hoping to leverage the prebuilt dashboard from Fortinet add-on.

Is it required I install the older "App" as well? (splunkbase app id 2800) https://splunkbase.splunk.com/app/2800/

xpac · ‎05-02-2018

Usually, an add-on or TA (short for technical add-on) is only responsible for the data input and parsing, e.g. properly indexing and parsing the data, making it CIM compliant etc.
If you want to have any "visual user experience" stuff, like dashboards/searches, you need to install the app, because that's what usually brings all those things.

In some cases the app is "the add-on plus dashboards", but in this case you need to have the app AND the add-on installed, according to the manual of the app.

Therefore, install both on the Splunk instances mentioned in the manual, and make sure to follow both manuals for installation instructions (especially the part that your data has to be indexed with sourcetype=fgt_log. Then everything should work out.

2018: Fortinet Fortigate Add-on for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!