I installed the Fortinet FortiGate App 1.5.1 for Splunk as well as the Fortinet FortiGate Add-On 1.6.2 for Splunk and configured the sourcetype in the props.conf file.
After that I restarted the Splunk service. When I open the Fortinet FortiGate App and go to the Fortinet Network Security Overview I have nice dashboards with data.
However the dashboards such as Traffic and VPN are all emtpy, even though when I open the according Searches and Reports I have data. Do I need to do something else to get the other dashboards working? I use Splunk 7.3.0.
Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:
[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon
i faces same issue, and i just added the search of each dashboard on the app with index=xxx at the beginning of the search, then all dashboards worked fine
I installed Add-on installed FortigateAPP for splunk. Enabled data model acceleration. "Traffic dashboard" is showing results, however Overview dashboard is empty. Most of the macros searches is not returning any results. I am ingesting fortigate logs via SC4S, by default they goes to "netfw" - index, SC4S-source, fgt_traffic -sourcetype.
I also added local/props.conf for Add-on :
[fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false
Any ideas why macros are failing?
Hello all! I also am having this issue. My FoS data model is accelerated. When I go to the traffic dashboard, it's all there. When I go to the Overview dashboard, it is blank. Actually most of the fields are stuck on "waiting for data".
Thoughts?
overview dashboard is different from other dashboards. because overview page is for real time logs. Can you check in search&reporting if the logs are coming in in real time? are all your servers' time in sync?
They are indeed coming in in real time. Yes to time sync. It's weird. All of the other dashboards are working.
can you try running fgt_logs
query for last 10 minutes in real time streaming in search and reporting app?
the overall dashboard runs the same query.
So do you mean just put 'fgt_logs' in the search field? i don't see anything, either real time or all time for that
please copy exact the string `fgt_logs` and paste in search. it is not single quote.
if there is still no result, can you check whether you use cutomized index name? can you check following:
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf
[role_admin]
srchIndexesDefault = fgt;main
srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.
Sorry for the delay in response. Was laid off for a bit. So when i put in 'fgt_logs' in the search field, I don't get anything. My index is simply called "fortigate". I updated authorize.conf to the following:
[role_admin]
grantableRoles = admin
srchIndexesAllowed = *;_*;fortinet;main;paloalto;fgt
srchIndexesDefault = main
srchMaxTime = 8640000
Do I need to create a new index called fgt_logs?
fgt_logs macro needs to be put in query field: `fgt_logs`
Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:
[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon
Thank you @jerryzhao after I enabled the Data Model Acceleration, the dashboards contained the data.