number-of-session-timeline dataset question

abelio · ‎04-18-2018

Hello everybody,

There's available in-a-box the 'number-of-session-timeline" dataset querying Traffic log this way:

select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, count(*) as sessions from $log where $filter and logid_to_int(logid) not in (4, 7, 14) group by timestamp order by timestamp desc)### t group by hodex order by hodex

How should we understand that 'count(*) as sessions' ? Like an acumulated sum in the hour?

Results are (very) far from those I can see as "sessions" value during a normal day in the box, whether looking widgets or parsing the output of 'get sys perfomance status' CLI command.

I'd appreciate very much your interpretation.

regards

/ Abel

mantaransingh_FTNT · ‎04-19-2018

Hi Abelio

FAZ session counts are based on log message received after the session is closed.

While 'get sys performance status' output usually shows current active sessions.

In order to have apple-to-apple comparison, the average session life should be significantly smaller than reporting interval. (meaning the difference between report and outputs could be caused if you have 'very" long-life session , or small report interval).

This SQL query is counting each log as a session and group it by time scale. This time scale changes according to the report time period.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36191

Thanks

mantaransingh

abelio · ‎04-20-2018

Hi Mantaran, thanks for your explanation and reference.

As customers commonly have logs and FAZs (not all of them are taking long term snmp measures),

I'm exploring the usefullness of the FAZ report in order to compare with those obtained for example through snmp oid .1.3.6.1.4.1.12356.101.4.1.8.0 using different time scale sampling (1 min, 5 min, 30 min, 2h etc)

(BTW snmp approach compares reasonably well with widgets or 'get sys perf status')

I'll try playing with time scale variations in the report following your advice

Thanks again,

regards

/ Abel

mcu1102 · ‎04-24-2018

Dear Abel,

I read and proved your dataset on my physical forit device. Great useful and helpful for understanding.

By the way, I'm facing a similar question but not in session. Hopefully sharing on this forum .

I have FAZ 5.4.0 and collected a part of foritgate device traffic information, such as monitoring WAN traffic. My workplace is established 100M ISP bandwidth, and export daily report to represent the traffic everyday.

However, when I customed a set of dataset according to normal mysql query and executed, the report is out of my expectation. I'm expected (maximum level in sent and received) in y-axis that should be FIXED 100M but not sumed by calculation method.

public my custom dataset

select $flex_timescale as hodex, sum(coalesce(sentbyte, 0)) as traffic_out, sum(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter group by hodex order by hodex

Hope you can help me and sharing your suggestion.

Regards,

frankie

abelio · ‎04-26-2018

Hello Frankie,

Let me make some points:

- dataset posted is not mine; is included in any 5.4 FAZ in a box; it was a starting point to discuss

- i understand that your above question was already answered in another part of this forum.

By doing this: select $flex_timescale as hodex, sum(coalesce(sentbyte, 0)) as traffic_out ....

you're only counting packets traversing an interface; bandwidth is a 'velocity' quantity, measurement of a rate, another thing.

It shouldn't be surprising obtain such high values.

- your image doesn't appeared in the forum because format; try with jpg

regards

/ Abel

number-of-session-timeline dataset question

Nominate a Forum Post for Knowledge Article Creation