Running a FAZ-200D with 5.4.2, getting logs from a couple FortiGates, FortiAuthenticator, syslogs, etc.  I've been getting some confusing results from my queries.

I keep getting empty results from certain queries in Log View, Custom View that should have non-empty results.  The empty results often seem to be related to the sequence of specifiers.

For example, if I do a simple query for all denies of a certain subnet: 

    smart_action=_all_ source=IP.IP.IP.* 

I will get a list that matches what I see in the logs.  But if I make that query:

  source=IP.IP.IP.* smart_action=_all_ 

I will either get a "No records found" or the the FAZ will display "Loading..." and never give results.

Using the right-mouse click on a log field to add to an existing query is even worse.  Right clicking on a log entry with Action=Policy Violation gives me the option to add to the query search "Action = Policy Violation", which then adds smart_action="Policy Violation" to the query, which promptly tells me there are no entries found.  Note that this works fine if there are not any other fields in the query.

Before I open a ticket on this, anybody have any suggestions?

Thanks in advance.