Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abelio
Valued Contributor

number-of-session-timeline dataset question

Hello everybody,

 

There's available in-a-box the 'number-of-session-timeline" dataset querying Traffic log this way:

 

select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, count(*) as sessions from $log where $filter and logid_to_int(logid) not in (4, 7, 14) group by timestamp order by timestamp desc)### t group by hodex order by hodex

 

How should we understand that 'count(*) as sessions' ?  Like an acumulated sum in the hour?

 

Results are (very) far from those I can see as "sessions" value during a normal day in the box,  whether looking widgets or  parsing the output of  'get sys perfomance status' CLI command.

 

I'd appreciate very much your interpretation.

 

 

 

 

 

regards


__ Abel

4 REPLIES 4
mantaransingh_FTNT

Hi Abelio

FAZ session counts are based on log message received after the session is closed.

While 'get sys performance status' output usually shows current active sessions.

 

In order to have apple-to-apple comparison, the average session life should be significantly smaller than reporting interval. (meaning the difference between report and outputs could be caused if you have 'very" long-life session , or small report interval).

 

This SQL query is counting each log as a session and group it by time scale.  This time scale changes according to the report time period.

 

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36191

 

Thanks

mantaransingh
abelio

Hi Mantaran, thanks for your explanation and reference.

 

As customers commonly have logs and FAZs (not all of them are taking long term snmp measures),

I'm exploring the usefullness of the FAZ report in order to compare with those obtained for example through snmp oid .1.3.6.1.4.1.12356.101.4.1.8.0 using different time scale sampling (1 min, 5 min, 30 min, 2h etc)

(BTW snmp approach compares reasonably  well with widgets or 'get sys perf status')

 

I'll try playing with time scale variations in the report following your advice

 

Thanks again,

regards


__ Abel

mcu1102
New Contributor

Dear Abel,

 

I read and proved your dataset on my physical forit device. Great useful and helpful for understanding.

 

By the way, I'm facing a similar question but not in session. Hopefully sharing on this forum .

 

I have FAZ 5.4.0 and collected a part of foritgate device traffic information, such as monitoring WAN traffic. My workplace is established 100M ISP bandwidth, and export daily report to represent the traffic everyday.

 

However, when I customed a set of dataset according to normal mysql query and executed, the report is out of my expectation. I'm expected (maximum level in sent and received) in y-axis that should be FIXED 100M but not sumed by calculation method.

 

public my custom dataset

 

select $flex_timescale as hodex, sum(coalesce(sentbyte,  0)) as traffic_out, sum(coalesce(rcvdbyte,  0)) as traffic_in from $log where $filter group by hodex order by hodex

 

 

Hope you can help me and sharing your suggestion. 

 

Regards,

 

frankie

abelio
Valued Contributor

Hello Frankie,

Let me make some points:

 

- dataset posted is not mine; is included in any 5.4 FAZ in a box; it was a starting point to discuss

 

- i understand that your above question was already answered in another part of this forum.

 By doing this:   select $flex_timescale as hodex, sum(coalesce(sentbyte,  0)) as traffic_out ....

 you're only counting packets traversing an interface; bandwidth is a 'velocity' quantity, measurement of a rate, another thing.

It shouldn't be surprising  obtain such high values.

 

- your image doesn't appeared in the forum because format; try with jpg

 

regards


__ Abel