I installed the Fortinet FortiGate App 1.5.1 for Splunk as well as the Fortinet FortiGate Add-On 1.6.2 for Splunk and configured the sourcetype in the props.conf file.
After that I restarted the Splunk service. When I open the Fortinet FortiGate App and go to the Fortinet Network Security Overview I have nice dashboards with data.
However the dashboards such as Traffic and VPN are all emtpy, even though when I open the according Searches and Reports I have data. Do I need to do something else to get the other dashboards working? I use Splunk 7.3.0.
Did you enable data model acceleration?
5. Enable Data Model Acceleration:
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:
acceleration = 1
acceleration.earliesttime = -1mon
Hello all! I also am having this issue. My FoS data model is accelerated. When I go to the traffic dashboard, it's all there. When I go to the Overview dashboard, it is blank. Actually most of the fields are stuck on "waiting for data".
overview dashboard is different from other dashboards. because overview page is for real time logs. Can you check in search&reporting if the logs are coming in in real time? are all your servers' time in sync?
They are indeed coming in in real time. Yes to time sync. It's weird. All of the other dashboards are working.
can you try running
fgt_logs query for last 10 minutes in real time streaming in search and reporting app?
the overall dashboard runs the same query.
So do you mean just put 'fgt_logs' in the search field? i don't see anything, either real time or all time for that
please copy exact the string `fgt_logs` and paste in search. it is not single quote.
if there is still no result, can you check whether you use cutomized index name? can you check following:
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
srchIndexesDefault = fgt;main
srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.