Need to modify Top-Users-By-Bandwidth

jsevillano · ‎05-10-2022

I need to modify Top-Users-By-Bandwidth query to exclude a specific user. Here is the original query:

select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where user!='jspriv' and (logflag&1>0) and srcip is not null group by user_src, srcip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc

Anonymous · ‎05-13-2022

Hello jsevillano,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Fortinet Community Team

Debbie_FTNT · ‎05-16-2022

Hey jsevillano,

the easiest would probably be to apply a filter on the chart inside the report.

No need to modify the dataset itself (you can't modify default datasets really, you would have to clone and then modify it).

1. Select the report that has the Top Users by bandwidth chart in it

2. Go to 'Editor' tab

3. right-click on the chart, and set a filter of 'user not equal to <username>'

4. Save the setting

5. Run the report

-> the user should be excluded from the Top Users by Bandwidth chart

You can also exclude the user from the report entirely by setting the filter in Report Settings instead of in Editor and then the specific chart.

As an example on a 7.2 FortiAnalyzer:

Let us know if this is what you're looking for :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++