Context: For this scenario, the report must contain information about 30 days and only has data of the last 3 days.

1. Confirm the period that is missing in the report.

Validate the configuration of the report (i.e. check whether it has a corrected period as required).

2. Verify existing logs in logview -> logbrowse -> Custom and set the period that is not displayed in the report to confirm raw logs exist.

3. After confirming the logs of the period that exist validate at the bottom of the logview -> logs -> all menu, see the section of total logs for the analysis period.

4. After, verify whether there are system events about disk usage with the subtype 'diskquota' for an ADOM that has reached the delete threshold.

5. Validate current storage usage for the ADOM that has the problem system Settings -> ADOMs -> Select ADOM -> View Storage Info. In this section, confirm if the limit is being reached for analytics Policy and confirm the value 'Actual logs for X Day'. This value is the real value according to the current log reception.

    

1. If there is no more disk space available, it is necessary to expand the disk or add an HDD if the physical appliance allows it. For example: the VM process can reference the following link: Technical Tip: Extending disk space in FortiAnalyzer-VM/FortiManager-VM.
2. Edit the ADOM. If there is available more disk space to be allocated to the ADOM, increase it as needed. For more information about how to perform an estimation, see Technical Tip: How to estimate disk space needed for Archive and Analytics logs.
3. If it is not possible to increase the disk or ADOM quota, try reducing the useful logs that need to be received and analyzed by FortiAnalyzer.(this can be summarized with points 5.a and 5.b to optimize the log handling). See the following article for the process: Technical Tip: Minimizing logging from FortiGate to FortiAnalyzer.
4. In the ADOM edit interface, assign more storage for the data allocation, and customize the scale Analytics: Archive the percentage of the storage assigned, and the percentage when the usage reaches alerts and deletes data.
                                                           

6. After completing the previous steps, it would be needed to rebuild the database of the FortiAnalyzer to update all the data with the commands (a to do the database rebuild and b to verify the progress).

1. execute sql-local rebuild-db
   
   
2. diagnose sql status rebuild-db

Important Note: During the rebuild process, the analytics will not be available until the process has been completed.

Extra Tip: If the reports were generated correctly before, the Administrator must identify if the logs received from the managed devices increased exponentially. This could be due to the user logs increasing, or policies being added or modified to record more events. This can also be tracked with events under System Settings -> Event logs and with the log description 'The used log exceeds the license limit' if this behavior was not present previously.