Context: 

Usually as administrator, it is necessary to verify the total entries of specific log filter. In FortiAnalyzer, it is possible to list the logs received in the logview menu. In this example 2 ways are explained to get the number of entries (one directly in the same logview menu and one using a dataset).

Request: It is necessary to get the total count of entries for the following conditions:

• FortiGate logs: A specific FortiGate device.
• Log type: Traffic.

• Specific Source MAC:

• Custom period Time (Defined time period for this example is 10-23-2025 from 00:00:00 to 23:59:00).

The first way to verify the entries is located at the bottom of the window, where are listed the pages of search, to get the count it is needed to select the 'Get total Count' button.

The second way is executing a custom dataset Reports -> Report Definitions -> Dataset -> Create new -> Log Type -> Traffic -> write the Query as shown in the screenshot below. After, set filter conditions, select 'Go' and wait for the results.

SELECT COUNT(*) AS total_entries
FROM $log
WHERE $filter
AND type='traffic'
AND srcmac='XX:XX:XX:XX:XX:XX'

These procedures can be changed according to needs. For the dataset, it is possible to see the raw log format in the log browser to take a specific field to execute the query.

Similarly to the previous examples, it will be configured for the sessionid field.

Related documentation:

Filtering messages - FortiAnalyzer administration guide
Creating datasets - FortiAnalyzer administration guide