topic Re: How do I make Splunk for Fortigate find data in a specific index where i have my fortigate data? in All Apps and Add-ons

How do I make Splunk for Fortigate find data in a specific index where i have my fortigate data?

bria0029 — Wed, 13 Feb 2013 11:30:46 GMT

I can't get splunk for fortigate to use the index where my fortigate data are placed.
When i put index=fortigate before every search the results are comming up perfectly.

my input look like this:
[udp://5140]
index = fortigate
sourcetype = fortigate
no_ appending_timestamp = true

just to clarify that my data are in index fortigate

Re: How do I make Splunk for Fortigate find data in a specific index where i have my fortigate data?

yannK — Wed, 13 Feb 2013 16:55:12 GMT

go to manager > access control > roles and make the index "fortigate" searchable and searched by default for the users of the fortigate app.

Re: How do I make Splunk for Fortigate find data in a specific index where i have my fortigate data?

bria0029 — Wed, 13 Feb 2013 17:20:43 GMT

Yes, but why is it not nessesery to do this if you are working with splunk for ad or exchange? Also with different indexes and not granted rights in roles.

Re: How do I make Splunk for Fortigate find data in a specific index where i have my fortigate data?

itdepartment — Wed, 24 Dec 2014 18:44:04 GMT

In my recent experience I wanted to do exactly what you described. This is a summary of what I did...

create index fortios5
update data inputs udp and set the destination index for this source to fortios5
copy default/macros.summary to local folder and rename to macros.conf
update local/macros.conf section Base Macros definition = index=fortios5 ...
Based on some info I found here:
http://answers.splunk.com/answers/25843/palo-alto-app-configuration-procedure.html
Also because some dashboards were timing out I needed to update etc/system/local/web.conf to include this setting:
[settings]
splunkdConnectionTimeout = 120
Restart Splunk
Enjoy

Re: How do I make Splunk for Fortigate find data in a specific index where i have my fortigate data?

esix_splunk — Thu, 25 Dec 2014 03:32:12 GMT

You can also check in the App, the eventtypes.conf. You can add the specific index to each eventtype's search. That should quickly fix the issue. Make sure your sourcetype names match what the app is looking for also. Make sure any changes you make, that you put in the local/eventtypes.conf, and dont change the default. (This will keep the changes when you upgrade..)

On a side note, making sure the index is globally searchable is the recommended..