Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create Splunk Alert for fortinet VPN tunnel status

mufthmu
Path Finder
‎08-03-2020 08:14 PM

Hi fellow Splunkers,

I want to create alert with these conditions:

  1. alert triggered when any of the VPNs go down.
  2. alert triggered when someone brings down the tunnel.

Thanks in advance

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2020 05:51 AM
Do you have VPN and tunnel states logged in Splunk? If not, there is nothing you can do until that data is available. If you have the data, search the appropriate index(es) for events showing a down VPN or tunnel. Then save the search as an alert.
I'd like to be more specific, but vague questions beget vague answers.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mufthmu
Path Finder
‎08-04-2020 08:42 AM

@richgalloway yes I do, we have events coming in (assume index=fortinet).

However, I do not know how to write specific search query that can capture an event when the VPN is down. Also if I simply search "index = fortinet", how do you narrow the search to find events that shows a down VPN or tunnel? I could not find those events.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2020 09:40 AM

This is when it helps to understand your data.  If you're not familiar with the Fortinet logs I suggest you reach out to someone in your company who is familiar with them so he or she can tell you what to look for.

Some basic searches to get started include looking for the word "down"

index=fortinet "down"

or the name of a VPN or tunnel

index=fortinet "<VPN or tunnel name>"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...