All Apps and Add-ons

Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Path Finder

Hello!

I am using the Fortinet Fortigate App for Splunk and I am unable to see any data in Fortigate dashboards.
When I perform a search in the app, I can see the events.
What do I have to check in order to see data in dashboards?

Tnx in advance
Vadim

0 Karma

Explorer

We have this problem too, the Fortinet App shows no data being populating. Is there a fix for this?

Here is the beginning of my props.conf file in 'C:\Program Files\Splunk\etc\apps\SplunkTAfortinet_fortigate\default'

[Fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

0 Karma

Contributor

do you have "Fortinet" in your input config as the source type of fortigate logs since you reference it here in props.conf?

0 Karma

Explorer

@jerryzhao,

I have one data input on port 1514/UDP and the sourcetype name is 'Fortinet'. Our regular search/reporting is working fine witn the incoming syslog.

I installed the 'Fortinet FortiGate App for Splunk' ver. 1.4 and 'Fortinet Fortigate Add-on for Splunk' ver. 1.4. The only other change I made was to the first section this file: 'C:\Program Files\Splunk\etc\apps\SplunkTAfortinet_fortigate\default\props.conf'

[Fortinet]
    TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
    SHOULD_LINEMERGE = false

Currently I see no data in the Fortigate app, it shows 0 for device|virtual domain|session.

If I click on search within the device block, it brings me to a search with no results using string: fgt_logs | stats dc(devid)

Can someone help us get this working?

Thank you in advance,
Lee

0 Karma

SplunkTrust
SplunkTrust

You're responding to a question that is more than a year old. You'll probably have better luck posting a new question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Thank you for responding @richgalloway. I will start a new thread if I don't get the answers I need in this thread.

0 Karma

Explorer
0 Karma

Contributor

did you install the add-on?
could you show me what your input config looks like? a screenshot of the logs you are seeing in search?
what fortigate app and add-on version are you using?

0 Karma

Communicator

Hey Vadim - 'Splunk for Fortigate' app is very old and was made for Splunk 5.0. If you are using latest version of Splunk, you better use 'Fortinet FortiGate App for Splunk'. Configure it on port 514 for syslogs and it will start collecting the data and reflect on the dashboards.

Hope this will help. Thanks

0 Karma

Path Finder

Hi.
tnx for quick reply
i am using - Fortinet FortiGate App for Splunk and my splunk version is 6.2.3 , listen on port 512 and still no data..

0 Karma

Communicator

OK Vadim. As you mentioned that data is coming and can be fetched under searches, so dashboard should ideally populate the information. If this is not happening then probable cause is something which is causing the searching slow. Have a look on
(a) how many searches are running concurrently in the background,
(b) bottleneck - If the CPU or any other system resource is too busy/spiking e.g. are you using a VM for search head.

  • Saurabh
0 Karma

Path Finder

Hello,
I am using regular workstation with Splunk on it..
I got this error in Messages section :The maximum number of real-time concurrent system-wide searches has been reached. current=8 maximum=8

0 Karma

Communicator

okay. So regarding this error message the splunk search limit has reached thats why its giving that error.
Try stoping some less important 'running' searches from Job activity tracker on splunk and then see.

When i tried the same thing, last month in direct prod.env then dashboards got populated but now i am using some historic data (not the stream) on another env. and i am facing the same issue.

Let me know if you got some solution of this or not ? If yes, whats is that.

0 Karma

Communicator

Hi @lguinn [Splunk] , I saw that you understand it well in your other fortinet related Splunk answer. I will appreciate if you can please guide us on this issue. Thanks in advance.

0 Karma