FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 206939



This article describes how to resolve empty reports.



1) Validate that the FortiAnalyzer is not running lower version than the FortiGates. (ref to the latest compatibility Matrix)
2) Validate the time frame  set for the report and verify it is possilble to see logs in 'Log View' for that period.




3) In case of User reports, ensure to type the username same way as in the Log View, the reason is case sensitivity.
4) Test the dataset that is related to the report. To find the dataset that underlies to the report navigate to Layout, select the table and choose Chart properties. 
Save or remember the name of the chart as depicted below, navigate to Chart Library and search for the chart, open the chart and find the dataset as in screenshot below, search for the dataset under Datasets section, confirm that correct time frame is applied and use the TEST button to generate output.
Be informed that the dataset values may differ from the real numbers as this option only serves for testing purposes.








5) For filter usage and no outputs, ensure that correct filter and value are used.
These values can be found after displaying raw logs.


Raw view.


Debug section.
1) Once you start to run a report, FortiAnalyzer creates a log about the report generation status and system performance. Use this diagnostic log to troubleshoot report performance issues. For example, if your report is very slow to generate, you can use this log to check system performance and see which charts take the longest time to generate.
For information on how to interpret the report diagnostic log and troubleshoot report performance issues, see the FortiAnalyzer Report Performance Troubleshooting Guide.
To retrieve report generation logs:
- In Reports > Generated Report, right-click the report and select Retrieve Diagnostic to download the log to your computer.
- Use a text editor to open the log.
2) Debug the reporting process using commands below:
# diagnose  de application sqlreportd 255
# diagnose  de en
While the debug is running, execute the report via GUI or CLI as described in step 3. After the debug output is generated, close the debugging in CLI via commands:
# diagnose de dis
# diagnose de res
3) Execute the report manually via CLI, in this example we will use “User Detailed Browsing Log” from the root ADOM.
# exe sql-report run root ?
<schedule-name>    <----- Select one of the available SQL report schedule names.
ADOM: root
10012  - User Detailed Browsing Log
10017  - User Top 500 Websites by Bandwidth
10018  - User Top 500 Websites by Session
10019  - Application Risk and Control
10025  - Cyber Threat Assessment
10037  - Secure SD-WAN Report
10039  - SOC Incident Report
10041  - Throughput Utilization Billing Report
22001  - FortiClient Default Report
30001  - FortiDDos Default Report
uranium-esx50 # exe sql-report run root 10012
4) Run following command:
# diagnose system fsck harddisk
This operation will check and repair the file system, then reboot the system.
Do you want to continue? (y/n)y
5) Manually rebuild hcache tables for the reports:
See related articles.
6) Rebuild the database:
See related articles.
7.If the issue remains, please contact Fortinet TAC Support and provide additional details to the ticket such as output of following commands:
# diag test application sqlreportd 99
# exe tac report
Also output of the commands ran in step 2 of debug section.
In case chrome is used, it is also possible to download the Fortinet chrome extension in order to capture more details:

Related Articles

Reporting: When is a manual rebuild of hcache tables advisable?

Technical Tip: FortiAnalyzer SQL database delete and rebuild