topic Re: Fortinet Fortigate App for Splunk Empty Dashboards in All Apps and Add-ons

Fortinet Fortigate App for Splunk Empty Dashboards

spiced — Tue, 24 Mar 2020 15:51:41 GMT

I installed the Fortinet FortiGate App 1.5.1 for Splunk as well as the Fortinet FortiGate Add-On 1.6.2 for Splunk and configured the sourcetype in the props.conf file.

After that I restarted the Splunk service. When I open the Fortinet FortiGate App and go to the Fortinet Network Security Overview I have nice dashboards with data.

However the dashboards such as Traffic and VPN are all emtpy, even though when I open the according Searches and Reports I have data. Do I need to do something else to get the other dashboards working? I use Splunk 7.3.0.

Re: Fortinet Fortigate App for Splunk Empty Dashboards

jerryzhao — Wed, 30 Sep 2020 04:41:49 GMT

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

Re: Fortinet Fortigate App for Splunk Empty Dashboards

spiced — Fri, 27 Mar 2020 13:30:40 GMT

Thank you @jerryzhao after I enabled the Data Model Acceleration, the dashboards contained the data.

Re: Fortinet Fortigate App for Splunk Empty Dashboards

BrendanCO — Fri, 15 May 2020 22:04:41 GMT

Hello all! I also am having this issue. My FoS data model is accelerated. When I go to the traffic dashboard, it's all there. When I go to the Overview dashboard, it is blank. Actually most of the fields are stuck on "waiting for data".

Thoughts?

Re: Fortinet Fortigate App for Splunk Empty Dashboards

jerryzhao — Fri, 15 May 2020 22:24:49 GMT

overview dashboard is different from other dashboards. because overview page is for real time logs. Can you check in search&reporting if the logs are coming in in real time? are all your servers' time in sync?

Re: Fortinet Fortigate App for Splunk Empty Dashboards

BrendanCO — Mon, 18 May 2020 20:32:42 GMT

They are indeed coming in in real time. Yes to time sync. It's weird. All of the other dashboards are working.

Re: Fortinet Fortigate App for Splunk Empty Dashboards

jerryzhao — Mon, 18 May 2020 21:22:16 GMT

can you try running fgt_logs query for last 10 minutes in real time streaming in search and reporting app?
the overall dashboard runs the same query.

Re: Fortinet Fortigate App for Splunk Empty Dashboards

jerryzhao — Wed, 30 Sep 2020 05:28:13 GMT

fgt_logs macro needs to be put in query field: `fgt_logs`

Re: Fortinet Fortigate App for Splunk Empty Dashboards

BrendanCO — Mon, 18 May 2020 22:02:11 GMT

So do you mean just put 'fgt_logs' in the search field? i don't see anything, either real time or all time for that

Re: Fortinet Fortigate App for Splunk Empty Dashboards

jerryzhao — Tue, 19 May 2020 00:51:24 GMT

please copy exact the string `fgt_logs` and paste in search. it is not single quote.

if there is still no result, can you check whether you use cutomized index name? can you check following:
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf

[role_admin]
srchIndexesDefault = fgt;main
srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.

Re: Fortinet Fortigate App for Splunk Empty Dashboards

BrendanCO — Fri, 10 Jul 2020 19:18:28 GMT

Sorry for the delay in response. Was laid off for a bit. So when i put in 'fgt_logs' in the search field, I don't get anything. My index is simply called "fortigate". I updated authorize.conf to the following:

[role_admin]
grantableRoles = admin
srchIndexesAllowed = *;_*;fortinet;main;paloalto;fgt
srchIndexesDefault = main
srchMaxTime = 8640000

Do I need to create a new index called fgt_logs?

Re: Fortinet Fortigate App for Splunk Empty Dashboards

Suirand1 — Fri, 05 Feb 2021 09:58:59 GMT

I installed Add-on installed FortigateAPP for splunk. Enabled data model acceleration. "Traffic dashboard" is showing results, however Overview dashboard is empty. Most of the macros searches is not returning any results. I am ingesting fortigate logs via SC4S, by default they goes to "netfw" - index, SC4S-source, fgt_traffic -sourcetype.

I also added local/props.conf for Add-on :

[fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

Any ideas why macros are failing?

Re: Fortinet Fortigate App for Splunk Empty Dashboards

islam — Mon, 31 May 2021 12:40:56 GMT

i faces same issue, and i just added the search of each dashboard on the app with index=xxx at the beginning of the search, then all dashboards worked fine