Description
This KB describes a common issue using star/asterisks '*' instead of specific field names in queries.
The query engine for the FortiAnalayzer processes DataSet by caching queries from reports periodically to enable quicker report creation.
The algorithms used rely on the datasets using specific field names, instead of generic *
For Example this Dataset query will list the traffic generated or terminated locally on a Fortigate [LOCAL-FGT-TRAFFIC]
SELECT * FROM $log
where trandisp ='noop'
Workaround
Attached is the example report (LOCAL-FGT-TRAFFIC.dat)
This KB describes a common issue using star/asterisks '*' instead of specific field names in queries.
The query engine for the FortiAnalayzer processes DataSet by caching queries from reports periodically to enable quicker report creation.
The algorithms used rely on the datasets using specific field names, instead of generic *
For Example this Dataset query will list the traffic generated or terminated locally on a Fortigate [LOCAL-FGT-TRAFFIC]
SELECT * FROM $log
where trandisp ='noop'
Follow these steps:
- Save the Dataset
- Create a chart
- Select the fields you want in the chart
- Create a report attaching the newly create chart
The results will not be shown.
Workaround
Create the same dataset query and add the field names individually [LOCAL-FGT-TRAFFIC-FIELDS]
SELECT dstip,dstname,tranip,service,proto,slot,duration,policyid,sentbyte,rcvdbyte,sentpkt,rcvdpkt,vpn,srcintf,dstintf,sessionid,custom_field1,wanoptapptype,wanin,wanout,lanin,lanout,app,appcat,shaperdropsentbyte,shaperdroprcvdbyte,shaperperipdropbyte,shapersentname,shaperrcvdname,shaperperipname,transip,transport,dstcountry,vpntype,applist,appact,devtype,osname,osversion,unauthuser,unauthusersource,mastersrcmac,srcmac,collectedemail,appid,srccountry,msg,utmaction,crscore,craction,srcssid,dstssid,srcuuid,dstuuid,poluuid,apprisk,countapp,countav,countdlp,countemail,countips,countweb,countwaf,utmevent,utmsubtype,sender,recipient,virus,attack,hostname,catdesc,dlpsensor,utmref,threats,threatlvls,threattyps,threatcnts,threatwgts,crlevel,centralnatid,apsn,ap,channel,radioband,vwpvlanid,policytype,policymode,shapingpolicyid,clouduser,apps,saasinfo,sslaction,url,agent,fctuid,sslexempt,ebtime
FROM $log
where trandisp ='noop'
Then creating a chart and add it to the report, it will display the data correctly, you can observe the differences.
Attached is the example report (LOCAL-FGT-TRAFFIC.dat)
