Skip to main content
SSC_Seb
SSC_Seb
New Member
March 8, 2017
Question

FortiAnalyzer 5.2 - Charts with different date ranges in same report?

  • March 8, 2017
  • 1 reply
  • 8773 views

Hi all. We've recently procured a FAZ-1000E device to refresh our old FAZ-2000A running on 4.0 MR3. As part of the upgrade process, I'm currently rewriting the old reports we had customized. I've run into an annoying issue.

 

In 4.0 MR3, we were able to insert charts into the same report and customize each chart's date range. For example, in one report we had 2 charts with a date range of "Yesterday" followed by another chart with a date range of "Last 7 Days". In 5.2, I can't find how to do this. The only date range I can see is in the report configuration and affects all of the charts in the report. If I try to go to the properties of a chart from the report layout, I can't see a field to configure a date range for that specific chart. I can add filters but I can't find any that would allow us to change the reporting period for that chart.

 

Did FAZ lose the ability to have charts with different reporting periods in the same report between 4.0 MR3 and 5.2? That would be disappointing. If the functionality is back in 5.4, that'd be nice to know, but we won't be able to go to that version for some time given that we still have many FortiGate devices running 4.0 MR3 and I've been told FAZ 5.4 cannot receive those logs.

 

Appreciate any help, thanks.

1 reply

SSC_Seb
SSC_SebAuthor
New Member
March 10, 2017

I think I figured out a workaround, if anyone else needs to do something like this. Make a dataset with an SQL query that doesn't include the $filter variable used by FAZ and instead use "where to_timestamp(dtime)::date>=(current_date-7) and to_timestamp(dtime)::date<current_date" as well as any device selectors you need (since filter selections won't affect the query). Seems to work.

RobertReynolds
RobertReynolds
New Member
March 23, 2017

I'm trying to do the exact same thing in 5.4 having two time periods in one report and I cant see how to do it either.

 

Could you please post an example of a dataset using your "where to_timestamp(dtime)::date>=(current_date-7) and to_timestamp(dtime)::date<current_date" query please?

 

EG: I' trying to create a report showing websites and categories by bandwidth for "yesterday" as well as showing websites and categories by bandwidth for "last 7 days" in the same report, amongst many others.

 

 

SSC_Seb
SSC_SebAuthor
New Member
March 23, 2017

My 5.2 dataset is using this query:

 

select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, sum(rcvdbyte+sentbyte) as volume from $log where to_timestamp(dtime)::date>=(current_date-7) and to_timestamp(dtime)::date<current_date and devid in ('FGTxxx','FGTxxx') group by user_src having sum(rcvdbyte+sentbyte)>0 order by volume desc

 

Which gives me the volume of traffic per user (IP if user is blank) over the last 7 days on a cluster of 2 devices (FGTxxx are the serial numbers). I have to specify those here since no $filter variable is used in the query (since $filter would evaluate the time period for the report, and I don't want to use it). The report that uses this is set to a period of 1 day, but this dataset query ignores that and grabs last 7 days.

 

Terms & ConditionsAccessibility statement