All Apps and Add-ons
Highlighted

Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Path Finder

Hello!

I am using the Fortinet Fortigate App for Splunk and I am unable to see any data in Fortigate dashboards.
When I perform a search in the app, I can see the events.
What do I have to check in order to see data in dashboards?

Tnx in advance
Vadim

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Communicator

Hey Vadim - 'Splunk for Fortigate' app is very old and was made for Splunk 5.0. If you are using latest version of Splunk, you better use 'Fortinet FortiGate App for Splunk'. Configure it on port 514 for syslogs and it will start collecting the data and reflect on the dashboards.

Hope this will help. Thanks

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Path Finder

Hi.
tnx for quick reply
i am using - Fortinet FortiGate App for Splunk and my splunk version is 6.2.3 , listen on port 512 and still no data..

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Communicator

OK Vadim. As you mentioned that data is coming and can be fetched under searches, so dashboard should ideally populate the information. If this is not happening then probable cause is something which is causing the searching slow. Have a look on
(a) how many searches are running concurrently in the background,
(b) bottleneck - If the CPU or any other system resource is too busy/spiking e.g. are you using a VM for search head.

  • Saurabh
0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Path Finder

Hello,
I am using regular workstation with Splunk on it..
I got this error in Messages section :The maximum number of real-time concurrent system-wide searches has been reached. current=8 maximum=8

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Communicator

okay. So regarding this error message the splunk search limit has reached thats why its giving that error.
Try stoping some less important 'running' searches from Job activity tracker on splunk and then see.

When i tried the same thing, last month in direct prod.env then dashboards got populated but now i am using some historic data (not the stream) on another env. and i am facing the same issue.

Let me know if you got some solution of this or not ? If yes, whats is that.

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Communicator

Hi @lguinn [Splunk] , I saw that you understand it well in your other fortinet related Splunk answer. I will appreciate if you can please guide us on this issue. Thanks in advance.

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Contributor

did you install the add-on?
could you show me what your input config looks like? a screenshot of the logs you are seeing in search?
what fortigate app and add-on version are you using?

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

Explorer

We have this problem too, the Fortinet App shows no data being populating. Is there a fix for this?

Here is the beginning of my props.conf file in 'C:\Program Files\Splunk\etc\apps\SplunkTAfortinet_fortigate\default'

[Fortinet]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false

0 Karma
Highlighted

Re: Fortinet Fortigate App for Splunk: When I run a search, I can see events, but why am I unable to see data in any dashboards?

SplunkTrust
SplunkTrust

You're responding to a question that is more than a year old. You'll probably have better luck posting a new question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma