Getting Data In

Why is Fortinet sourcetype renaming not working?

aamer86
Path Finder

Hi, 

I have clustered multi-site indexing architecture with search head cluster. 

I am getting the fortinet logs as below: 

Fortinet ==> Syslog ==> HF monitor the logs >> Indexers (index discovery)

I installed the fortinet add-on on all indexers and searchheads 
I still see logs coming under the sourcetype I defined in the inputs.conf for monitoring 

I added below a list of apps I pushed to Peers and SHs

@fortinet  @fortinet1  

Screenshot 2022-02-18 at 22.00.40.pngScreenshot 2022-02-18 at 22.01.08.png

Labels (3)
0 Karma
1 Solution

aamer86
Path Finder

Thanks @richgalloway  installing the Add-On on the HF fixed it 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

1.  How are you trying to rename the sourcetype?

2. The TAs should be installed on the HF, too.

---
If this reply helps you, Karma would be appreciated.

aamer86
Path Finder

Thanks @richgalloway  installing the Add-On on the HF fixed it 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...