Firstly, thank you for all the hard work you've put into this awesome project! The included dashboards are fantastic!
I'm having an issue with the Transforms. Out of the four included transforms, three of them will crash immediately after starting.
I'm on Elasticsearch 8.18. Fortigates are all on 7.4.7 and 7.4.8 and running the required rfc5424 syslogging. Ingest seems to be working great otherwise.
This is the message they leave when they fail:
Message
2025-09-18 12:59:33 lme-elasticsearch Failed to index documents into destination index due to permanent error: [org.elasticsearch.xpack.transform.transforms.BulkIndexingException: Bulk index experienced [1530] failures and at least 1 irrecoverable [unable to parse date [1758225240000]]. Other failures: [IngestProcessorException] message [org.elasticsearch.ingest.IngestProcessorException: java.lang.IllegalArgumentException: unable to parse date [1758225240000]]; java.lang.IllegalArgumentException: unable to parse date [1758225240000]]
It seems rather straightforward, it's having an issue parsing the date, but I'm just clueless as to why or how I can fix it.
Strangely, out of the four, transforms-fortinet.fortigate.traffic.forward.policy.inbound_1m will run, and the rest of them will not. However, this one doesn't actually seem to be transforming anything, as the target index is still empty after running for a few weeks. Here are the stats:
On the contrary, each of the transforms that crash do seem to be working for a few seconds before crashing:
All four indices sit empty.
Any guidance would be appreciated!
Firstly, thank you for all the hard work you've put into this awesome project! The included dashboards are fantastic!
I'm having an issue with the Transforms. Out of the four included transforms, three of them will crash immediately after starting.
I'm on Elasticsearch 8.18. Fortigates are all on 7.4.7 and 7.4.8 and running the required rfc5424 syslogging. Ingest seems to be working great otherwise.
This is the message they leave when they fail:
It seems rather straightforward, it's having an issue parsing the date, but I'm just clueless as to why or how I can fix it.
Strangely, out of the four, transforms-fortinet.fortigate.traffic.forward.policy.inbound_1m will run, and the rest of them will not. However, this one doesn't actually seem to be transforming anything, as the target index is still empty after running for a few weeks. Here are the stats:
On the contrary, each of the transforms that crash do seem to be working for a few seconds before crashing:
All four indices sit empty.
Any guidance would be appreciated!