All Apps and Add-ons

Fortinet Fortigate App for Splunk Empty Dashboards

spiced
New Member

I installed the Fortinet FortiGate App 1.5.1 for Splunk as well as the Fortinet FortiGate Add-On 1.6.2 for Splunk and configured the sourcetype in the props.conf file.

After that I restarted the Splunk service. When I open the Fortinet FortiGate App and go to the Fortinet Network Security Overview I have nice dashboards with data.

However the dashboards such as Traffic and VPN are all emtpy, even though when I open the according Searches and Reports I have data. Do I need to do something else to get the other dashboards working? I use Splunk 7.3.0.

0 Karma
1 Solution

jerryzhao
Contributor

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

View solution in original post

islam
Explorer

i faces same issue, and i just added the search of each dashboard on the app with index=xxx at the beginning of the search, then all dashboards worked fine

0 Karma

Suirand1
Explorer

I installed Add-on installed FortigateAPP for splunk. Enabled data model acceleration. "Traffic dashboard" is showing results, however Overview dashboard is empty. Most of the macros searches is not returning any results. I am ingesting fortigate logs via SC4S, by default they goes to "netfw" - index, SC4S-source, fgt_traffic -sourcetype. 

I also added local/props.conf for Add-on :

[fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

Any ideas why macros are failing? 

0 Karma

BrendanCO
Path Finder

Hello all! I also am having this issue. My FoS data model is accelerated. When I go to the traffic dashboard, it's all there. When I go to the Overview dashboard, it is blank. Actually most of the fields are stuck on "waiting for data".

Thoughts?

0 Karma

jerryzhao
Contributor

overview dashboard is different from other dashboards. because overview page is for real time logs. Can you check in search&reporting if the logs are coming in in real time? are all your servers' time in sync?

0 Karma

BrendanCO
Path Finder

They are indeed coming in in real time. Yes to time sync. It's weird. All of the other dashboards are working.

0 Karma

jerryzhao
Contributor

can you try running fgt_logs query for last 10 minutes in real time streaming in search and reporting app?
the overall dashboard runs the same query.

0 Karma

BrendanCO
Path Finder

So do you mean just put 'fgt_logs' in the search field? i don't see anything, either real time or all time for that

0 Karma

jerryzhao
Contributor

please copy exact the string `fgt_logs` and paste in search. it is not single quote.

if there is still no result, can you check whether you use cutomized index name? can you check following:
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf

[role_admin]
srchIndexesDefault = fgt;main
srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.

0 Karma

BrendanCO
Path Finder

Sorry for the delay in response. Was laid off for a bit. So when i put in 'fgt_logs' in the search field, I don't get anything. My index is simply called "fortigate".  I updated authorize.conf to the following:

[role_admin]
grantableRoles = admin
srchIndexesAllowed = *;_*;fortinet;main;paloalto;fgt
srchIndexesDefault = main
srchMaxTime = 8640000

Do I need to create a new index called fgt_logs? 

0 Karma

jerryzhao
Contributor

fgt_logs macro needs to be put in query field: `fgt_logs`

0 Karma

jerryzhao
Contributor

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

spiced
New Member

Thank you @jerryzhao after I enabled the Data Model Acceleration, the dashboards contained the data.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...