FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
premchanderr
Staff
Staff
Article Id 344449
Description

 

This article describes on handling query rejection due to max limit when exporting a report in FortiSIEM GUI.

 

Scope

 

FortiSIEM 7.2.0.

 

Solution

 

The message 'Query Rejected: Max query limit reached' would be displayed if a report is reaching its limits:

 

  • Generated in UI: 100,000 lines if not using Group By; 10,000 if using Group By.

  • PDF export: 50,000 lines if not using Group By or displaying Raw Events; 10,000 if using Group By; and 2,000 if displaying Raw Events.

  • CSV export: 100,000 lines if not using Group By or displaying Raw Events; 10,000 if using Group By; and 2,000 if displaying Raw Events.
 

Screenshot_2024-08-21_142030.png

 

The purpose of the reports is not to export huge events, however, it should be used to get some meaningful information out of those events using queries used in Analytics or reports. For this reason, limitation are there by design on export result to avoid the performance impact on FortiSIEM.

 

There is no workaround to increase these limits. It would be necessary to optimize the query with more filters and reduce the number of events generated. 

 

If limit has not been met and still face this issue, then do check the below:

  • Ensure the supervisor and all query workers are in normal health status.
  • Add more filters or remove few fields that are suspected from filters for testing. 
  • Restart phProcesses related to query/report:

su admin
phtools --stop phQueryMaster
phtools --stop phQueryWorker

 

Wait a few seconds to see phQuery processes down with phstatus command and then start.


phtools --start phQueryMaster
phtools --start phQueryWorker

 

  • Clear Appsvr cache and restart java.SSH to supervisor via root:

    # su admin
    # rm -rf /opt/glassfish/domains/domain1/osgi-cache/
    # rm -rf /opt/glassfish/domains/domain1/generated/
    # kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)

This could also be due to browser cache, test this in private window of chrome/firefox browser. 

If still suspecting some issues, then feel free to open a ticket with Fortinet support.