The Fortigate app is rather old and doesn't appear to have been tested with the 6.x version of Splunk. You may want to email the author about that and see if it is still under active development. That being said, I don't see anything in the app that would prevent it from working in Splunk 6.x.

What version of FortiOS are you using? The readme file in the app says that version 4.0MR3 is supported

Try putting a file called inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_Fortigate/local/ with the following contents:

[monitor://<full path to your log file>]
sourcetype = fortigate

After that file is in there, restart Splunk and your log file should be read in and processed.

ok.

Example:
date=2014-04-16 time=00:01:38 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.40.13.111 src_port=33214 src_int=\"IN_CECA1022_01\" dst=74.125.132.105 dst_port=80 dst_int=\"OUT_CECA1022_01\" SN=50254608 status=accept policyid=20901 dst_country=\"United States\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=49458 service=HTTP proto=6 duration=10 sent=2344 rcvd=55568 sent_pkt=42 rcvd_pkt=40
date=2014-04-16 time=00:01:39 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.240.10.180 src_port=4463 src_int=\"IN_CECA1022_01\" dst=173.194.40.157 dst_port=443 dst_int=\"OUT_CECA1022_01\" SN=50252208 status=accept policyid=20901 dst_country=\"United States\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=53731 service=HTTPS proto=6 duration=241 sent=3501 rcvd=1580 sent_pkt=19 rcvd_pkt=20
date=2014-04-16 time=00:01:40 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.40.1.33 src_port=3113 src_int=\"IN_CECA1022_01\" dst=217.27.250.189 dst_port=80 dst_int=\"OUT_CECA1022_01\" SN=50254468 status=accept policyid=20901 dst_country=\"United Kingdom\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=36005 service=HTTP proto=6 duration=30 sent=902 rcvd=964 sent_pkt=6 rcvd_pkt=5
date=2014-04-16 time=00:01:40 devname=### id=### log_id=0021000002 type=traffic subtype=allowed pri=notice vd=CECA1022_01 src=10.40.13.111 src_port=33220 src_int=\"IN_CECA1022_01\" dst=74.125.132.105 dst_port=80 dst_int=\"OUT_CECA1022_01\" SN=50254615 status=accept policyid=20901 dst_country=\"United States\" src_country=\"Reserved\" dir_disp=org tran_disp=snat tran_sip=109.1.143.84 tran_sport=41288 service=HTTP proto=6 duration=10 sent=2344 rcvd=55568 sent_pkt=42 rcvd_pkt=40

It gives me a log file on a fortiget firewal recover and I have to analyze.
I use the latest version 6.1.
And i'm new to splunk.

You will find a LOT of people willing to help you on this forum. You should add a little more detail and context to your question, to get better responses.

• Posting sanitized samples of the plaintext log can help.
• Noting your current Splunk configuration can help (version, stand-alone or distributed, OS, etc).
• How are you collecting the logs? (syslog, Splunk forwarder, API, etc)
• What is your level of familiarity with Splunk?

Ok thx. But I have an error:

"Your entry was not saved. The following error was reported: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data."
Do you know it?

May be you will find something from the links

http://answers.splunk.com/apps/51391/related_questions/