Getting Data In

Why is Fortinet sourcetype renaming not working?

aamer86
Path Finder

Hi, 

I have clustered multi-site indexing architecture with search head cluster. 

I am getting the fortinet logs as below: 

Fortinet ==> Syslog ==> HF monitor the logs >> Indexers (index discovery)

I installed the fortinet add-on on all indexers and searchheads 
I still see logs coming under the sourcetype I defined in the inputs.conf for monitoring 

I added below a list of apps I pushed to Peers and SHs

@fortinet  @fortinet1  

Screenshot 2022-02-18 at 22.00.40.pngScreenshot 2022-02-18 at 22.01.08.png

Labels (3)
0 Karma
1 Solution

aamer86
Path Finder

Thanks @richgalloway  installing the Add-On on the HF fixed it 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

1.  How are you trying to rename the sourcetype?

2. The TAs should be installed on the HF, too.

---
If this reply helps you, Karma would be appreciated.

aamer86
Path Finder

Thanks @richgalloway  installing the Add-On on the HF fixed it 

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...