FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article explains FortiAnalyzer CPU usage and indexing processes

On a FortiAnalyzer unit, the logs are stored on the local disks in a native format (the one sent by the FortiGate unit) and in an indexed representation.

Logs can be indexed in different ways:
  -  Fortinet Proprietary Indexes
  -  SQL DB (local PostgreSQL or remote MySQL)

"Indexes" are generally used to:
  -  display logs on the GUI,
  -  generate reports.

Conversion of native logs into an indexed format is running continuously, thus it may use some CPU resources.

As it is constantly working in the background, it has a low priority compared to other processes. It may take all the CPU resources when all other processes are idle and will go to 0 if one or multiple processes are active.

Therefore seeing a high CPU value due to that is not alarming and is normal.

In the FortiAnalyzer version 5.0, following example the "12" is showing the low priority given to sqllogd (excerpt from exec top:(
Cpu(s):  1.3%us,  1.3%sy,  0.7%ni, 96.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   1027152k total,  1014852k used,    12300k free,    49320k buffers
Swap:  2076536k total,    84192k used,  1992344k free,   444684k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+   PPID P COMMAND                                     
 3902 root      32  12 82128  30m 3576 S  0.7  3.0  17:24.01     1 0 sqllogd                                                       
 3691 root      20   0  204m 100m 2236 S  0.3 10.0   6:13.50  3542 0 svc dvmdb reade                          
    1 root      20   0  203m  97m 4280 S  0.0  9.8   0:10.62     0 0 initXXXXXXXXXXX                                              
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00     0 0 kthreadd                                        
    3 root      20   0     0    0    0 S  0.0  0.0   0:00.02     2 0 ksoftirqd/0
Note: Output is more or less the same in later versions.