Fortinet white logo
Fortinet white logo

Administration Guide

Creating datasets

Creating datasets

FortiAnalyzer datasets are collections of data from logs for monitored devices. Charts and macros reference datasets. When you generate a report, the datasets populate the charts and macros to provide data for the report.

FortiAnalyzer has many predefined datasets that you can use right away. You can also create your own custom datasets. An easy way to build a custom query is to copy and modify a predefined dataset's query.

To create a new dataset:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Datasets, and click Create New.
  3. In the Create Dataset pane, provide the required information for the new dataset.

    Name

    Enter a name for the dataset.

    Log Type

    Select a log type from the dropdown list. Below is a list of the available log types based on device.

    • FortiGate: Application, Intrusion Prevention, Content , Data Leak Prevention, DNS, Email Filter, Event, FortiClient System Event, FortiClient Security Event, FortiClient Traffic, File Filter, GTP, Vulnerability Scan, Protocol, SSH, SSL,Traffic, Antivirus, VoIP, Web Application Firewall, Web Filter, Local Event.
    • FortiMail: Email Filter, Event, History, and Antivirus.
    • FortiAnalyer: Application, Event, and Local Event.
    • FortiWeb: Attack , Event, and Traffic.
    • FortiCache: Application, Intrusion Prevention, Content , Data Leak Prevention, Email Filter, Event, Vulnerability Scan, Traffic, Antivirus, VoIP, and Web Filter.
    • FortiClient: FortiClient System Event, FortiClient Security Event, FortiClient Traffic.
    • Syslog: Syslog.
    • FortiManager: Application and Event.
    • FortiSandbox: Event, Vulnerability Scan, and Antivirus.
    • FortiDDoS: Intrusion Prevention and Event.
    • FortiAuthenticator: Event.
    • FortiProxy: Application, Intrusion Prevention, Data Leak Prevention, DNS, Email Filter, Event, SSH, Traffic, Antivirus, VoIP, and Web Filter.
    • FortiNAC: Asset and Event.
    • FortiFirewall: DNS, Event, File Filter, GTP, SSH, SSL, and Traffic.
    • FortiDeceptor: Event.
    • FortiSOAR: Event
    • FortiADC: Intrusion Prevention, Event, and Traffic.
    • FortiAI: Attack and Event.
    • Fabric: Normalized.

    Query

    Enter the SQL query used for the dataset.

    While entering SQL in the query field, automatic suggestions are provided that offer a list of possible commands, table names, log fields, and more to use in your query.

    Validate

    Click Validate to validate the entered SQL query. If any errors are present in the query, the details of the error are displayed below, otherwise the message will display OK.

    Analyze Query

    Click Analyze Query to perform a detailed analysis on the SQL query. Analyze Query displays the original SQL query, the transformed SQL query (if applicable), and the SQL validation results.

    This function also allows users to view the hcache query that is used when a report using this dataset has enabled the auto-cache option for faster report generation. For more information on hcache, see How auto-cache works

    Format

    Click Format to automatically format the entered SQL query, making it easier to read, update, and detect errors.

    Variables

    Click the Add button to add variable, expression, and description information.

    If added, the expression for the variable will be used when configuring filters for reports that use this dataset. For example, if Variable = User (user) and Expression = coalesce(nullifna(`user`), ipstr(`srcip`)), then the expression will be used when User (user) is selected as the Log Field in a report's filter. See Filtering report output.

    Test

    Click to test the SQL query before saving the dataset configuration.

    Click Stop to end a test in progress.

    Time Period

    Use the dropdown list to select a time period. When selecting Custom, enter the start date and time, and the end date and time.

    Devices

    Select All Devices or Specify to select specific devices to run the SQL query against. Click the Select Device button to add multiple devices to the query.

  4. Click Test.

    The query results are displayed. If the query is not successful, an error message appears in the Test Result pane.

  5. Click OK.

Creating datasets

Creating datasets

FortiAnalyzer datasets are collections of data from logs for monitored devices. Charts and macros reference datasets. When you generate a report, the datasets populate the charts and macros to provide data for the report.

FortiAnalyzer has many predefined datasets that you can use right away. You can also create your own custom datasets. An easy way to build a custom query is to copy and modify a predefined dataset's query.

To create a new dataset:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Datasets, and click Create New.
  3. In the Create Dataset pane, provide the required information for the new dataset.

    Name

    Enter a name for the dataset.

    Log Type

    Select a log type from the dropdown list. Below is a list of the available log types based on device.

    • FortiGate: Application, Intrusion Prevention, Content , Data Leak Prevention, DNS, Email Filter, Event, FortiClient System Event, FortiClient Security Event, FortiClient Traffic, File Filter, GTP, Vulnerability Scan, Protocol, SSH, SSL,Traffic, Antivirus, VoIP, Web Application Firewall, Web Filter, Local Event.
    • FortiMail: Email Filter, Event, History, and Antivirus.
    • FortiAnalyer: Application, Event, and Local Event.
    • FortiWeb: Attack , Event, and Traffic.
    • FortiCache: Application, Intrusion Prevention, Content , Data Leak Prevention, Email Filter, Event, Vulnerability Scan, Traffic, Antivirus, VoIP, and Web Filter.
    • FortiClient: FortiClient System Event, FortiClient Security Event, FortiClient Traffic.
    • Syslog: Syslog.
    • FortiManager: Application and Event.
    • FortiSandbox: Event, Vulnerability Scan, and Antivirus.
    • FortiDDoS: Intrusion Prevention and Event.
    • FortiAuthenticator: Event.
    • FortiProxy: Application, Intrusion Prevention, Data Leak Prevention, DNS, Email Filter, Event, SSH, Traffic, Antivirus, VoIP, and Web Filter.
    • FortiNAC: Asset and Event.
    • FortiFirewall: DNS, Event, File Filter, GTP, SSH, SSL, and Traffic.
    • FortiDeceptor: Event.
    • FortiSOAR: Event
    • FortiADC: Intrusion Prevention, Event, and Traffic.
    • FortiAI: Attack and Event.
    • Fabric: Normalized.

    Query

    Enter the SQL query used for the dataset.

    While entering SQL in the query field, automatic suggestions are provided that offer a list of possible commands, table names, log fields, and more to use in your query.

    Validate

    Click Validate to validate the entered SQL query. If any errors are present in the query, the details of the error are displayed below, otherwise the message will display OK.

    Analyze Query

    Click Analyze Query to perform a detailed analysis on the SQL query. Analyze Query displays the original SQL query, the transformed SQL query (if applicable), and the SQL validation results.

    This function also allows users to view the hcache query that is used when a report using this dataset has enabled the auto-cache option for faster report generation. For more information on hcache, see How auto-cache works

    Format

    Click Format to automatically format the entered SQL query, making it easier to read, update, and detect errors.

    Variables

    Click the Add button to add variable, expression, and description information.

    If added, the expression for the variable will be used when configuring filters for reports that use this dataset. For example, if Variable = User (user) and Expression = coalesce(nullifna(`user`), ipstr(`srcip`)), then the expression will be used when User (user) is selected as the Log Field in a report's filter. See Filtering report output.

    Test

    Click to test the SQL query before saving the dataset configuration.

    Click Stop to end a test in progress.

    Time Period

    Use the dropdown list to select a time period. When selecting Custom, enter the start date and time, and the end date and time.

    Devices

    Select All Devices or Specify to select specific devices to run the SQL query against. Click the Select Device button to add multiple devices to the query.

  4. Click Test.

    The query results are displayed. If the query is not successful, an error message appears in the Test Result pane.

  5. Click OK.