There's available in-a-box the 'number-of-session-timeline" dataset querying Traffic log this way:
select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, count(*) as sessions from $log where $filter and logid_to_int(logid) not in (4, 7, 14) group by timestamp order by timestamp desc)### t group by hodex order by hodex
How should we understand that 'count(*) as sessions' ? Like an acumulated sum in the hour?
Results are (very) far from those I can see as "sessions" value during a normal day in the box, whether looking widgets or parsing the output of 'get sys perfomance status' CLI command.
FAZ session counts are based on log message received after the session is closed.
While 'get sys performance status' output usually shows current active sessions.
In order to have apple-to-apple comparison, the average session life should be significantly smaller than reporting interval. (meaning the difference between report and outputs could be caused if you have 'very" long-life session , or small report interval).
This SQL query is counting each log as a session and group it by time scale. This time scale changes according to the report time period.
Hi Mantaran, thanks for your explanation and reference.
As customers commonly have logs and FAZs (not all of them are taking long term snmp measures),
I'm exploring the usefullness of the FAZ report in order to compare with those obtained for example through snmp oid .126.96.36.199.4.1.123188.8.131.52.8.0 using different time scale sampling (1 min, 5 min, 30 min, 2h etc)
(BTW snmp approach compares reasonably well with widgets or 'get sys perf status')
I'll try playing with time scale variations in the report following your advice
I read and proved your dataset on my physical forit device. Great useful and helpful for understanding.
By the way, I'm facing a similar question but not in session. Hopefully sharing on this forum .
I have FAZ 5.4.0 and collected a part of foritgate device traffic information, such as monitoring WAN traffic. My workplace is established 100M ISP bandwidth, and export daily report to represent the traffic everyday.
However, when I customed a set of dataset according to normal mysql query and executed, the report is out of my expectation. I'm expected (maximum level in sent and received) in y-axis that should be FIXED 100M but not sumed by calculation method.
public my custom dataset
select $flex_timescale as hodex, sum(coalesce(sentbyte, 0)) as traffic_out, sum(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter group by hodex order by hodex
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.