Splunk can only report on the events that it is sent. Fortinet is not necessarily misconfigured, it is just configured in a way that is not raising the information that you would like to report on. It may be that the feasible way to get what you want is to use the Fortinet information to identify who, and use other DNS or proxy data to identify when and how long. ... View more

We have upgraded to Fortinet 5.2.9 and I am still not seeing any data in the Splunk App Fortinet FortiGate App for Splunk. However, we do see the syslogs under Splunk Search & Reporting. We only have one props.conf file under: C:\Program Files\Splunk\etc\apps\SplunkAppForFortinet\local Here is the first 4 lines of the props.conf file, the remaining lines are untouched/default: [source::*] [fortigate] TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event SHOULD_LINEMERGE = false Can someone help us get this working? Thank you, Lee ... View more

Thanks @jerryzhao . The events are visible after the add-on is installed on indexers. ... View more

I posted a new question thread here: https://answers.splunk.com/answers/504256/fortinet-fortigate-app-for-splunk-not-showing-data.html Thanks, Lee ... View more

The browsing time by user from the Fortinet FortiAnalyzer, which my vendor ran for me does not even come close to the Splunk browse time results I am getting. Fortinet FortiAnalyzer Report: Splunk browse time results for same user and same day: Is there a way to get this corrected in Splunk? ... View more