If a query being run in Analytics shows the result 'No report results found' or a result is unexpectedly missing, take the following steps to troubleshoot the issue:

1. Check query inputs.
   
   It is a good practice to use and click on the suggested options displayed and use the expression builder to make sure inputs are valid.

Note: By design, internal events from the FortiSIEM are hidden by default. To display system events, it is necessary to add a filter 'System Event Category = 2' for the audit log for example. See FortiSIEM Event Categories and Handling for more details.

2. Check the profile.
   
   When logging in with an account on the FortiSIEM, the administrator is assigned a specific role under Admin -> Settings -> Role Management in a specific organization (if using MSSP mode). This restricts the user from searching for specific elements like devices or obfuscated data.

• Check the role and organization assigned to the account.
• Renew the query from a full admin profile.

3. Check for incoming packets at a low level.

• From the FortiSIEM node that should receive the events, connect to the SSH console as a root and run the next command (replace device_ip with the IP of the device that should send events):
  
  

tcpdump host device_ip -vvv

• For the syslog type of log:
  
  

tcpdump udp and host device_ip and port 514 -vvv

• Check if incoming packets are reaching the FortiSIEM. If not, review the device configuration or the network in between.

4. Check for device configuration and discovery.

• Go through the External Systems Configuration Guide to configure the device properly.
• Make sure there are no blocking errors under the Admin -> Setup -> Discovery step while doing the discovery and in the 'Show Errors' tab.

5. Check nodes health.
   
   The FortiSIEM node (super, worker, or collector) must be in good health conditions or proper network configuration to make sure the events are treated or transmitted to the other node.

• Check under Admin -> Health -> Cloud Health / Collector Health / Agent Health.

6. Check the current FortiSIEM configuration.
   
   Some customization and configuration may move or delete the event.

• Check for configuration at Admin-> Settings-> Event Dropping Rules.
• Check for configuration at Admin-> Settings-> Event Org Mapping.

7. Check-in unknown events:

• Filter from Analytics with 'event type : Unknown_EventType'.
  If events are found there, it means that either the parser is deactivated or does not exist and needs to be created.
• Identify a keyword that is certain to be found in the event and add in the filter Raw Event Log CONTAIN <the_keyword>.
• Check under Admin-> Device Setup-> Parsers and enter a keyword of the brand or device. Make sure it is activated and select the APPLY button.