- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RESOLVED: Dataset OK, but report empty
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RESOLVED: Dataset OK, but report empty
Hoping someone can give me a clue here. I am a newbie when it comes to designing reports in my FortiAnalyzer 100C.
I have created a custom dataset, containing the following SQL query, which when I click the TEST link works just fine:
-------------- begin SQL
select id,
ssid,
(case `ap-status` when 0 then ' Unclassified' when 1 then ' Rogue!!!' when 2 then ' Accepted' when 3 then ' Suppressed' else ' others' end) as status,
manuf,
rssi,
" radio-band" as radio,
" security-mode" as security,
" on-wire" ,
msg as message
from $log
where $filter
and subtype= ' wireless'
and action = ' rogue-ap-detected'
and " ap-status" = 0
and rssi > 20
order by ssid
-------------- end SQL
This gives me a few records which I expect to see, so I also created a custom Chart which links to my dataset.
I then created a custom Report and added my custom Chart. But when I run it, the report is empty. I' ve edited the Report Options and checked that its set to report on This Week (when I view This Week in the Dataset test I see records show up) ... but I keep getting No Data.
The column headers in the chart display in the report are correct (I have set it to display 3 columns: id, ssid, status
If I add another column to the chart, the column appears in the report ... but still no data.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
maybe I' m wrong but I think that the last column has to be integer type, nothing else - string etc.
I tried to create a simplne Event report with log id and message and I get data from Dataset but not in Report the resuot was No Data.
When I swapped the columns to Message - Log ID then I had data in the report.
Other problem is that it seems the Analyzer is doing some auto-summarization in the last column. I have data from Dataset like:
msg id
Disk log roll request has been sent. 1
Disk log roll request has been sent. 2
Connected to FortiAnalyzer x.x.x.x 21055
user admin logged into the fw - 1337756854 1
HA device(interface) fail 2
....
The result from the report is:
msg id
A client broadcasts a DHCPDISCOVER message 950768
progress IPsec phase 2 654969
install IPsec SA 327496
negotiate IPsec phase 2 327482
Disconnected from FortiAnalyzer 62.84.128.21 324698
For example for the log from dataset:
Disk log roll request has been sent. 1
Disk log roll request has been sent. 2
you will get in the report:
Disk log roll request has been sent. 3
This is the problem on my side I think it is some bug.
Try to arrange your report that you have integer type in the last column. Mybe it will help.
About the auto-summarization I wrote on KB unfortunately without answer: http://support.fortinet.com/forum/tm.asp?m=83436&p=2&tmode=1&smode=1
AtiT
---------
FCNSA
FCNSP
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting idea. This morning I came up with an idea: what if the way the FA processes the SQL when you Test a Dataset was different to the way the FA processes the SQL when you use a Dataset in a Report?
After some testing, it seems that this is the case. I have had to re-write my SQL to be as follows:
-------------------- start SQL
select ssid,
(case `ap-status` when 0 then ' Unclassified' when 1 then ' Rogue!!!' when 2 then ' Accepted' when 3 then ' Suppressed' else ' others' end) as status,
manuf,
rssi,
`radio-band` as radio,
`security-mode` as security,
`on-wire`,
msg as message
from $log
where $filter
and subtype = ' wireless'
and action = ' rogue-ap-detected'
and `ap-status` = 0
and rssi > 20
order by ssid
--------------------- end SQL
Note that I have replaced double-quotes " with backticks ` for all the column names which have a dash - in them.
It seems that you can get away with double quotes " when you create a Dataset and then click Test ... that will work ... but when you try to do that with a Report that has a Chart which uses that same Dataset, you will get No Data.
I have logged a ticked with Fortinet in the hope of getting an explanation and/or maybe getting this problem fixed in a future firmware release.
Anyway, the end of the matter is that now I am getting data in my report, so that' s the main thing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I now have another example of a SQL SELECT statement which works when Testing a Dataset, but which won' t work when used in a report:
------------------ begin SQL
select ssid,
from_dtime(timestamp) as noticed,
(case `ap-status` when 0 then ' Unclassified' when 1 then ' Rogue!!!' when 2 then ' Accepted' when 3 then ' Suppressed' else ' No Status' end) as status,
(case `sn-detected` when ' FAP22B3U11012725' then ' Level 1 Back' when ' FAP22B3U11012738' then ' Level 2 Back' when ' FAP22B3U11013044' then ' Level 1 Front' when ' FAP22B3U11013055' then ' Level 2 Front' else ' FAP Unknown' end) as FAP,
manuf,
rssi,
`radio-band` as radio,
`security-mode` as security,
`on-wire`,
msg as message
from $log
where $filter
and subtype = ' wireless'
and action = ' rogue-ap-detected'
and `ap-status` = 0
and rssi > 20
order by ssid,
noticed
------------------ end SQL
Note that it is very similar to the query I was using earlier (see above). The key difference, and the thing which is causing it to fail (as verified by running the FA in debug mode for a while) is this bit:
(case `sn-detected` when ' FAP22B3U11012725' then ' Level 1 Back' when ' FAP22B3U11012738' then ' Level 2 Back' when ' FAP22B3U11013044' then ' Level 1 Front' when ' FAP22B3U11013055' then ' Level 2 Front' else ' FAP Unknown' end) as FAP,
If I replace that by this:
`sn-detected` as fap,
then it works fine. So something about this 2nd case statement works in Test modem but fails when used in Report mode.
Any suggestions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can it be that you can only use 1 case statement? ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possibly. Is that a known restriction?
EDIT: if it is, then why does it work OK in the Dataset Test but not in a Report?
EDIT: removed the first case statement, left the 2nd one in; it works in the Dataset Test but NOT in the Report ... so having just one CASE statement in the SQL SELECT does not fix it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the problem.
Not only is there an inconsistency between the Dataset Test screen and the actual running of a Report in terms of how quote marks and backticks are used (see my previous post above), but ALSO
There is another inconsistency to do with case sensitivity ... in my SQL SELECT, the 2nd CASE statement ended with " ... as FAP," (UPPER CASE TEXT) ... but the Chart object doesn' t recognise this and converts everything to lower case apparently transparently ... and this causes the Chart to be broken.
I changed my SQL SELECT to use " ... as fap," instead (lower case text) and everything magically started working.
So that' s two bugs I' ve found in just a week. I' m on a roll ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you report the bug with FortiNet? ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I' ve actually got 3 tickets open with Fortinet covering 3 distinct bugs in the FortiAnalyzer.
A lot of the above " little issues" explain a lot to me about why we have struggled and struggled to get any sensible reporting out of our FA100C unit. I have had several contractors have a go at producing reports; both of them in essence " gave up" after about a day' s worth of battling to get any data out.
It was only due to my sheer bloody-minded stubbornness that I persisted and persisted with testing and troubleshooting that eventually let me to find these syntax issues at the core of our inability to construct working reports.
My next step is that I am going to get our Supplier to start lodging some feature requests with Fortinet for enhancements to the FA firmware. For example:
(1) the Alerts system is woefully underpowered at present. I need to be able to flag specific criteria such as " Alert me to any new Unclassified WiFi APs which appear) and so on. I could write a report (at least I can now that I have worked out some of the syntactical issues) but that leads me to my next feature request:
(2) I want an option available on my reports so that if a report contains nothing but an empty Dataset (no records returned) then I want to be able to suppress the report; sometimes I just want to have reports run to look for particular things, but don' t want to know if they don' t find anything.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good work, thanks a lot!
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,099 -
FortiClient
1,399 -
5.2
801 -
5.4
639 -
FortiManager
615 -
FortiAnalyzer
449 -
6.0
416 -
FortiAP
373 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
124 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
100 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
Fortivoice
44 -
FortiEDR
43 -
FortiDNS
38 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiAuthenticator
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
Interface
17 -
VDOM
17 -
Routing
15 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
FortiCASB
12 -
NAT
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
OSPF
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
FortiPAM
5 -
Automation
5 -
trunk
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Port policy
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
Intrusion prevention
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DLP sensor
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
Netflow
2 -
FortiInsight
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Fabric connector
2 -
Multicast policy
1 -
4.0MR1
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1053 | |
| 870 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.