Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trouble getting data into Fortigate app

rogerv
New Member
‎10-04-2012 07:25 AM

Hi

Running Fortigate 80c with v4.0 MR3. I've downloaded and installed the fortigate splunk app but i'm having trouble getting data into it. I can see data coming into splunk from the fortigate via manager>Apps>search. I seem to have 1 source called fortigate with data labelled in this as
host=machinename, sourcetype=fortigate,source=fortigate etc . This input increases so information is getting in but just doesn't seem to be indexed properly for the splunk fortigate app.

The inputs.conf is as follows:

[udp://514]
connection_host=int ip of fortigate
sourcetype=fortigate
no_appending_timestamp=true

I'm fairly new to splunk so i've probably got something not or misconfigured, can somebody help ?

0 Karma
Reply

saurabh_tek
Communicator
‎12-14-2015 02:22 AM

Hello Splunkers,

I am facing the same issue. I have the fortinet logs indexed into the single instance of Splunk and can see the events in the search as index=fortinet_data_index, but the fortinet app is not showing the dashboard. sometime it says 'waiting for data...' and on other instance it is showing "fgt_logs" in the dashboard.

I am using 'Fortinet FortiGate Add-On for Splunk' and 'Fortinet FortiGate App for Splunk' on both the machines.

Please suggest me why the logs are not detected in the dashboards of fortinet app when they are visible in search with source=fortinet.

any lead in this direction will be appreciable.

  • Saurabh
0 Karma
Reply

sirajnp
Path Finder
‎03-20-2017 07:22 AM

Splunkers,

I faced the same issue, however managed to resolve the issue.

0 Karma
Reply

hojinpk
New Member
‎02-06-2014 11:14 AM

Hi Maik, Did you solve the problem? I am suffering the same problem. help me, don't let me leave alone. Thank you in advance.

0 Karma
Reply

maikfischer
Engager
‎08-08-2013 02:25 AM

Hi,

it seems, that i am having the same trouble than rogerv (by the way: is it solved? how?).

logging from i.e. a fortigate 60c, v4.3, to splunk (i had to work with props.conf and transforms.conf, as there are multiple devices sending log to udp/514).

"search sourcetype=fortigate*" shows events, but only sourcetype=fortigate, no sourcetypes like fortigate_traffic, or something.

on the fortigates, "Enable CSV Format" is unchecked...

any ideas?

regards,

Maik

0 Karma
Reply

wesleyveloso
New Member
‎01-07-2013 06:42 AM

On the fortigate uncheck the box "Enable CSV Format"

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 09:24 AM

Hi, do you have an example of what's not working? If you just run a search for sourcetype=fortigate, what fields are displayed on the left hand side?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...