https://community.splunk.com/t5/Security/Splunk-ES-fortinet-new-source/m-p/661250#M17332 <P>I strongly encourage you to take the free Using Splunk ES (<A href="https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/ledetail/cours000000000003591?_gl=1*17grqji*_ga*NTI4NDA2MDg1LjE2MzM3MzY4Nzg.*_ga_GS7YF8S63Y*MTY5NzY0NjM1Ny40OTMuMS4xNjk3NjQ4MzAwLjYwLjAuMA..*_ga_5EPM2P39FV*MTY5NzY0NjM1Ny42MzMuMS4xNjk3NjQ4MzA5LjAuMC4w&amp;_ga=2.11183857.436315429.1690734112-528406085.1633736878#/guest/trqledetail/cours000000000003591" target="_self">Using Splunk Enterprise Security</A>&nbsp;) and the (not free) Administering Splunk ES (<A href="https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/ledetail/cours000000000003224?_gl=1*17grqji*_ga*NTI4NDA2MDg1LjE2MzM3MzY4Nzg.*_ga_GS7YF8S63Y*MTY5NzY0NjM1Ny40OTMuMS4xNjk3NjQ4MzAwLjYwLjAuMA..*_ga_5EPM2P39FV*MTY5NzY0NjM1Ny42MzMuMS4xNjk3NjQ4MzA5LjAuMC4w&amp;_ga=2.11183857.436315429.1690734112-528406085.1633736878#/guest/trqledetail/cours000000000003224" target="_self">Administering Splunk Enterprise Security</A>&nbsp;) courses.</P><P>ES uses correlation searches to create notable events.&nbsp; A CS is like a saved search, but will a few added attributes.&nbsp; You can create a CS in ES by going to Configuration-&gt;Content Management and clicking on the New Correlation Search button.</P> Wed, 18 Oct 2023 17:19:24 GMT richgalloway 2023-10-18T17:19:24Z https://community.splunk.com/t5/Security/Splunk-ES-fortinet-new-source/m-p/661208#M17331 <P>Hello,</P><P><BR />I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search &amp; reporting" I have the knowledge level of Fundamentals 1 and 2.</P><P>Splunk ES currently works and I can see noticeable events from paloalto firewalls but recently configured fortinet logs and these are already coming in under an index called fortinet, when doing a normal query with index=fortinet I can see events but I see nothing from Splunk ES.</P><P>Exactly what do I need to do to get the fortinet events to be taken into account by Splunk ES and start logging notable events?</P> Wed, 18 Oct 2023 14:45:50 GMT https://community.splunk.com/t5/Security/Splunk-ES-fortinet-new-source/m-p/661208#M17331 splunkcol 2023-10-18T14:45:50Z https://community.splunk.com/t5/Security/Splunk-ES-fortinet-new-source/m-p/661250#M17332 <P>I strongly encourage you to take the free Using Splunk ES (<A href="https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/ledetail/cours000000000003591?_gl=1*17grqji*_ga*NTI4NDA2MDg1LjE2MzM3MzY4Nzg.*_ga_GS7YF8S63Y*MTY5NzY0NjM1Ny40OTMuMS4xNjk3NjQ4MzAwLjYwLjAuMA..*_ga_5EPM2P39FV*MTY5NzY0NjM1Ny42MzMuMS4xNjk3NjQ4MzA5LjAuMC4w&amp;_ga=2.11183857.436315429.1690734112-528406085.1633736878#/guest/trqledetail/cours000000000003591" target="_self">Using Splunk Enterprise Security</A>&nbsp;) and the (not free) Administering Splunk ES (<A href="https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/ledetail/cours000000000003224?_gl=1*17grqji*_ga*NTI4NDA2MDg1LjE2MzM3MzY4Nzg.*_ga_GS7YF8S63Y*MTY5NzY0NjM1Ny40OTMuMS4xNjk3NjQ4MzAwLjYwLjAuMA..*_ga_5EPM2P39FV*MTY5NzY0NjM1Ny42MzMuMS4xNjk3NjQ4MzA5LjAuMC4w&amp;_ga=2.11183857.436315429.1690734112-528406085.1633736878#/guest/trqledetail/cours000000000003224" target="_self">Administering Splunk Enterprise Security</A>&nbsp;) courses.</P><P>ES uses correlation searches to create notable events.&nbsp; A CS is like a saved search, but will a few added attributes.&nbsp; You can create a CS in ES by going to Configuration-&gt;Content Management and clicking on the New Correlation Search button.</P> Wed, 18 Oct 2023 17:19:24 GMT https://community.splunk.com/t5/Security/Splunk-ES-fortinet-new-source/m-p/661250#M17332 richgalloway 2023-10-18T17:19:24Z