Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
premchanderr
Staff & Editor
Staff & Editor

Created on ‎09-25-2024 11:49 PM Edited on ‎08-26-2025 11:35 PM By Moderator

Article Id 344449

Troubleshooting Tip: FortiSIEM GUI 'Query Rejected: Max query limit reached' message when exporting reports

Description

 

This article describes how to handle query rejection due to the max limit when exporting a report in FortiSIEM GUI.

 

Scope

 

FortiSIEM v7.2.0.

 

Solution

 

The message 'Query Rejected: Max query limit reached' would be displayed if a report is reaching its limits:

  • Generated in UI: 100,000 lines if not using Group By; 10,000 if using Group By.
  • PDF export: 50,000 lines if not using Group By or displaying Raw Events; 10,000 if using Group By; and 2,000 if displaying Raw Events.
  • CSV export: 100,000 lines if not using Group By or displaying Raw Events; 10,000 if using Group By; and 2,000 if displaying Raw Events.
 

Screenshot_2024-08-21_142030.png

 

The purpose of the reports is not to export huge events; however, they should be used to get some meaningful information out of those events using queries used in Analytics or reports. For this reason, limitations are there by design on export results to avoid the performance impact on FortiSIEM.

 

There is no workaround to increase these limits. It would be necessary to optimize the query with more filters and reduce the number of events generated. 

 

If the limit has not been met and this issue persists, then check the below:

  • Ensure the supervisor and all query workers are in normal health status.
  • Add more filters or remove a few fields that are suspected from filters for testing. 
  • Restart phProcesses related to query/report:

su admin
phtools --stop phQueryMaster
phtools --stop phQueryWorker

 

Wait a few seconds to see phQuery processes down with the phstatus command, and then start.


phtools --start phQueryMaster
phtools --start phQueryWorker

 

  • Clear Appsvr cache and restart java.SSH to the supervisor via root:

    su admin
    rm -rf /opt/glassfish/domains/domain1/osgi-cache/
    rm -rf /opt/glassfish/domains/domain1/generated/
    kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)

This could also be due to browser cache. Test this in a private window of Chrome/firefox browser. 

If some issues remain, then feel free to open a ticket with Fortinet support. 

 

Note:

Alternatively, it is possible to export a higher number of events through FortiSIEM CLI tools. Check the related article:

Technical Tip: How to export Raw Event Logs from the command line interface

1314
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.