Splunk Enterprise Security

Fortinet FortiGate APP: Data from different indexers and sources

venkasplunk
New Member

Hi all,

Have gone through my splunk answers and tried quite a few options in setting up a Fortinet Fortigate app. Still not successful. Please help me with some more guidance.

1) My requirement is to get those beautiful dashboards already setup by Fortigate App.
2) Logs from my forti solutions are going into different sourcetype and index types.
3) How do i map it to Fortigate app? Below are my configs.

Anything am missing here?

My inputs.conf (etc/apps/Splunk_TA_fortinet_fortigate/local)

sourcetype = XXX

props.conf

[XXX]
TRANSFORMS-force_sourcetype_fgt = fortigate
SHOULD_LINEMERGE = false

...........

transforms.conf

sourcetype

[fortigate]
DEST_KEY = MetaData:Sourcetype
REGEX = fortigate
FORMAT = sourcetype::fortigate

0 Karma
1 Solution

vinod94
Contributor

dyude @venkasplunk ,

You will have to change the predefined macros and eventtypes.... Open the search of the panel ... search the macros and eventtypes .... change it to ur index and sourcetype!

Hope this helps!

View solution in original post

0 Karma

vinod94
Contributor

dyude @venkasplunk ,

You will have to change the predefined macros and eventtypes.... Open the search of the panel ... search the macros and eventtypes .... change it to ur index and sourcetype!

Hope this helps!

0 Karma

kagamalai
Explorer

Hi I am able to view the following dashboards but not all the dashboards 

Working Dashboards

1. Fortinet Security Overall

2. Traffic Dashboard

3.Event Dashboard

4. VPN Dashboard

Not working Dashboard

1.Thread Dashboards

2. Authentication Dashboard

if any one know the solution please let me know same to fix it.

0 Karma

venkasplunk
New Member

This is awesome and able to find beautiful graphs and dashboards, thanks a lot.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...