Solved: Fortinet Fortigate App for Splunk Empty Dashboards

spiced · ‎03-24-2020

I installed the Fortinet FortiGate App 1.5.1 for Splunk as well as the Fortinet FortiGate Add-On 1.6.2 for Splunk and configured the sourcetype in the props.conf file.

After that I restarted the Splunk service. When I open the Fortinet FortiGate App and go to the Fortinet Network Security Overview I have nice dashboards with data.

However the dashboards such as Traffic and VPN are all emtpy, even though when I open the according Searches and Reports I have data. Do I need to do something else to get the other dashboards working? I use Splunk 7.3.0.

jerryzhao · ‎03-24-2020

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

View solution in original post

islam · ‎05-31-2021

i faces same issue, and i just added the search of each dashboard on the app with index=xxx at the beginning of the search, then all dashboards worked fine

Suirand1 · ‎02-05-2021

I installed Add-on installed FortigateAPP for splunk. Enabled data model acceleration. "Traffic dashboard" is showing results, however Overview dashboard is empty. Most of the macros searches is not returning any results. I am ingesting fortigate logs via SC4S, by default they goes to "netfw" - index, SC4S-source, fgt_traffic -sourcetype.

I also added local/props.conf for Add-on :

[fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

Any ideas why macros are failing?

BrendanCO · ‎05-15-2020

Hello all! I also am having this issue. My FoS data model is accelerated. When I go to the traffic dashboard, it's all there. When I go to the Overview dashboard, it is blank. Actually most of the fields are stuck on "waiting for data".

Thoughts?

jerryzhao · ‎05-15-2020

overview dashboard is different from other dashboards. because overview page is for real time logs. Can you check in search&reporting if the logs are coming in in real time? are all your servers' time in sync?

BrendanCO · ‎05-18-2020

They are indeed coming in in real time. Yes to time sync. It's weird. All of the other dashboards are working.

jerryzhao · ‎05-18-2020

can you try running fgt_logs query for last 10 minutes in real time streaming in search and reporting app?
the overall dashboard runs the same query.

BrendanCO · ‎05-18-2020

So do you mean just put 'fgt_logs' in the search field? i don't see anything, either real time or all time for that

jerryzhao · ‎05-18-2020

please copy exact the string `fgt_logs` and paste in search. it is not single quote.

if there is still no result, can you check whether you use cutomized index name? can you check following:
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf

[role_admin]
srchIndexesDefault = fgt;main
srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.

BrendanCO · ‎07-10-2020

Sorry for the delay in response. Was laid off for a bit. So when i put in 'fgt_logs' in the search field, I don't get anything. My index is simply called "fortigate". I updated authorize.conf to the following:

[role_admin]
grantableRoles = admin
srchIndexesAllowed = *;_*;fortinet;main;paloalto;fgt
srchIndexesDefault = main
srchMaxTime = 8640000

Do I need to create a new index called fgt_logs?

jerryzhao · ‎05-18-2020

fgt_logs macro needs to be put in query field: `fgt_logs`

jerryzhao · ‎03-24-2020

Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon

https://splunkbase.splunk.com/app/2800/#/details

spiced · ‎03-27-2020

Thank you @jerryzhao after I enabled the Data Model Acceleration, the dashboards contained the data.

Fortinet Fortigate App for Splunk Empty Dashboards

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)