Greetings!
I have searched the other related posts on this and still couldn't find a solution to our problem, which is the Fortinet Fortigate App for Splunk is not showing any data.
I have one data input on port 1514/UDP and the sourcetype name is 'Fortinet'. Our regular search/reporting is working fine witn the incoming syslog.
I installed the 'Fortinet FortiGate App for Splunk' ver. 1.4 and 'Fortinet Fortigate Add-on for Splunk' ver. 1.4. The only other change I made was to the first section this file: 'C:\Program Files\Splunk\etc\apps\Splunk_TA_fortinet_fortigate\default\props.conf'
[Fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false
Currently I see no data in the Fortigate app, it shows 0 for device|virtual domain|session.
If I click on search within the device block, it brings me to a search with no results using string: fgt_logs | stats dc(devid)
Can someone help us get this working?
Thank you in advance,
Lee
... View more