As an administrator, it is necessary to verify the total entries of a specific log filter. In FortiAnalyzer, it is possible to list the logs received in the logview menu. In this example, 2 ways are explained to get the number of entries (one directly in the same logview menu and one using a dataset).

Request: It is necessary to get the total count of entries for the following conditions:

• FortiGate logs: A specific FortiGate device.
• Log type: Traffic.

• Specific Source MAC:

• Custom period Time (Defined time period for this example is 10-23-2025 from 00:00:00 to 23:59:00).

The first way to verify the entries is located at the bottom of the window, where the search pages are listed, to get the count, it is needed to select 'Get total Count'.

The second way is executing a custom dataset, Reports -> Report Definitions -> Dataset -> Create new -> Log Type -> Traffic -> write the Query as shown in the screenshot below. After setting filter conditions, select 'Go' and wait for the results.

SELECT COUNT(*) AS total_entries
FROM $log
WHERE $filter
AND type='traffic'
AND srcmac='XX:XX:XX:XX:XX:XX'

These procedures can be changed according to needs. For the dataset, it is possible to see the raw log format in the log browser to take a specific field to execute the query.

Similar to the previous examples, it will be configured for the 'sessionid' field.

Note:

In the previous examples it was used the option 'Go' was used to illustrate the process in a faster way, but in real scenarios, the dataset must be inserted into a chart and then into a report. The reason is due to: 

For more detailed information: Creating datasets

Related documents:

Filtering messages
Creating datasets

Creating reports without using a template

Creating charts

Technical Tip: How to create FortiAnalyzer reports using custom SQL queries