The default stanza in the default/props.conf of the Fortinet Addon contains:
[source::*] #[source::udp:514] TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event SHOULD_LINEMERGE = false
The documentation suggests to change this, which is itself correct.
BUT the default/props.conf stanza cannot be deactivated without modifying the default/props.conf which is not upgrade resilient, and does not corresponds to Splunk best practices.
If someone then update the application when a new version of the addon would have been released, then the default/props.conf will be overwritten and the [source::*] stanza will be activated again.
We have observed data people bad recognized (multi line events threaten as event per line) because the stanza of the addon.
We previously tried to deactivate it in a local/props.conf as following (without modifying the default/props.conf to be upgrade resilient)
[source::*] TRANSFORMS-force_sourcetype_fgt =
But this won't work and still other data has collision with the Fortinet addon.
Only modifying default/props.conf solves the issue.
Please update the Addon configuration.
I have confirmed the issue and we are looking for a solution. It is more of a splunk bug because local is supposed to override default.
In the mean time, could you tell us how the add-on will conflict with your other data, since the add-on uses regex to filter out fortigate logs to process?
I downvoted this post because its a bad idea to have you app contain a stanza so generic in default. its also pretty bad to pass all sources through regex to figure out which is yours. I don't feel it is a splunk issue because overly generic stanzas in an app default will always cause conflicts down the road.
I did notice this and I believe it is all good now I just didn't want someone else to see this one response and get confused. sometimes it can be very tricky with defaults on apps. in any case, Thanks for the reply and explanation!