Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
laupin
New Contributor III

Created on ‎05-15-2018 06:12 AM

*** Fortianalyzer Combining in one chart two Datasets ***

Hello,

 

I need some help in order to create a custom report. I have an IDS profile and I want to repport the attacks in order to optimize the IPS profile that I'm configuring. The problem is that the data I need is in differents Log Type Database, so I create two datasets: Dataset with log type traffic (where I get srcip,srccountry, dstip,natIP) and Dataset with log type attack (where I get attack type). But i didn't find a way to relate both datasets and I don't have the attack type for a database log type traffic.

 

Does anyone have an idea how can I do that? Is there an SQL sequence I can do in order to have all this information into one Dataset?

 

I'm using the version 5.2.4 ( I'm planning an upgrade, but not for this week)

 

Thanks in advance :)

Labels:
11448
0 Kudos
2 Solutions
AtiT
Valued Contributor
In response to laupin

Created on ‎05-16-2018 07:40 AM

Hi,

I looked at your dataset and you are using 3 SELECTs but in this case only 1 SELECT is enough as all the informaction is in the Traffic log:

 

Create a Traffic dataset:

 

SELECT DISTINCT `srcip`, `srccountry`, `dstip`, `dstname`, `tranip`, `attack` FROM $log WHERE $filter AND NULLIFNA(`attack`) IS NOT NULL ORDER BY `srccountry`

 

You will get the same results and in my case more then 5 times faster.

AtiT

View solution in original post

AtiT
6130
0 Kudos
AtiT
Valued Contributor
In response to laupin

Created on ‎05-16-2018 08:20 AM

Does the dataset I wrote return some data?

What more information you would like to see in the table?

AtiT

View solution in original post

AtiT
6130
0 Kudos
8 REPLIES 8
chall_FTNT
Staff
Staff

Created on ‎05-15-2018 08:50 AM

Creating a datasets which pulls data from 2 log types is quite complex and should generally only be considered for those quite comfortable with SQL.  It requires a UNION of 2 select statements. 

 

Also, in some cases, some queries involving a UNION can be quite computationally demanding on the FortiAnalyzer. 

Chris Hall
Fortinet Technical Support
6070
0 Kudos
laupin
New Contributor III
In response to chall_FTNT

Created on ‎05-15-2018 08:56 AM

Thanks for your comments. I had created this request:

 

select distinct srcip, srccountry, dstip, dstname, tranip, attack from $log-traffic where srcip in (select srcip from $log-attack) and attack in (select  attack from $log-attack) and (policyid=10174 or policyid=116) order by srccountry

 

I almost have waht I want, but I also have a chart into the repport that shows me the Top 10 srcip attacks and there's some Ips into this list that aren't into my detailed one.

6070
0 Kudos
chall_FTNT
Staff
Staff
In response to laupin

Created on ‎05-15-2018 02:42 PM

It sounds like you might want to change the value of "Only Show First"  (FAZ 5.2) in your chart.  A value of 0 is "unlimited" (to the maximum global setting which is 10,000).

Chris Hall
Fortinet Technical Support
6071
0 Kudos
laupin
New Contributor III
In response to chall_FTNT

Created on ‎05-16-2018 06:22 AM

Yes I changed that, but In my repport I have both charts, the one who gave me the detailed information and the other that only shows me the top 10. The thing is that some times there's a mistmatch with the information in both. Let says, I have the ip x.x.x.x into the top ten and when I look into the detailed table I can't find that IP. That's why I think that it's missing data into my sql request.

6070
0 Kudos
AtiT
Valued Contributor
In response to laupin

Created on ‎05-16-2018 07:40 AM

Hi,

I looked at your dataset and you are using 3 SELECTs but in this case only 1 SELECT is enough as all the informaction is in the Traffic log:

 

Create a Traffic dataset:

 

SELECT DISTINCT `srcip`, `srccountry`, `dstip`, `dstname`, `tranip`, `attack` FROM $log WHERE $filter AND NULLIFNA(`attack`) IS NOT NULL ORDER BY `srccountry`

 

You will get the same results and in my case more then 5 times faster.

AtiT

AtiT
6131
0 Kudos
laupin
New Contributor III
In response to AtiT

Created on ‎05-16-2018 07:45 AM

Firstly thanks for your reply. 

I had tried that at first, it was my first option since I have an attack column into the traffic log, but I get nothing. There's no attack information, and then when looked into the attack log, I founded it (same session ID) but this time there was data into this champ.

and then, I started to looked for a way to correlate both tables... :(

 

Until now, at least I get some information but it isn't all the information that is at FAZ

6070
0 Kudos
AtiT
Valued Contributor
In response to laupin

Created on ‎05-16-2018 08:20 AM

Does the dataset I wrote return some data?

What more information you would like to see in the table?

AtiT

AtiT
6131
0 Kudos
laupin
New Contributor III
In response to laupin

Created on ‎05-18-2018 07:22 AM

Yes thanks, it works perfectly! ;)

 

 

6071
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.