https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38290#M28042 <HTML><HEAD></HEAD><BODY><P>Also you may read</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3481">Logging and Reporting Settings Definitions</A></P></BODY></HTML> Tue, 23 Sep 2014 14:30:25 GMT Retired Member 2014-09-23T14:30:25Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38288#M28040 <HTML><HEAD></HEAD><BODY><P>I ran 2 Panorama reports, using the detailed and summary databases, on application usage over the last 24 hours (simple reports, just top Applications ranked by bytes, no filters) </P><P></P><P>the results were completely different e.g the figures for web-browsing:</P><P></P><P>Summary: 720G</P><P>Detailed: 3.3T</P><P></P><P>The detailed figure looks correct, why is the summary figure so out of line?</P><P></P><P>Obviously we have quite a lot of traffic and logs and running reports using the detailed database takes forever, I'd prefer to use the summary database but the figures are completely wrong.</P></BODY></HTML> Tue, 23 Sep 2014 14:09:40 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38288#M28040 LCMember2860 2014-09-23T14:09:40Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38289#M28041 <HTML><HEAD></HEAD><BODY><P>Hi NOC,</P><P></P><P>Summary and Detailed logs are totally different parameters.</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">The entries under the detailed traffic logs are purged at a faster rate than the summary traffic logs. The hourly, daily, and weekly summaries are roll ups of 15 minute summaries on an hourly basis and a roll up of the hourly summaries on a daily basis as well as a roll up of the daily summaries on a weekly basis. So as we continue to roll up data the results can become summarized even further. This can lead to greater discrepancies between summarized databases and non-summarized databases.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">You can also refer following threads for more details.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A href="https://live.paloaltonetworks.com/message/29609">Traffic summary databese</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A href="https://live.paloaltonetworks.com/docs/DOC-4347">Custom reports for Summary vs Detailed logs database</A></SPAN></P><P></P><P>Let me know if this helps.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 23 Sep 2014 14:16:39 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38289#M28041 hshah 2014-09-23T14:16:39Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38290#M28042 <HTML><HEAD></HEAD><BODY><P>Also you may read</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3481">Logging and Reporting Settings Definitions</A></P></BODY></HTML> Tue, 23 Sep 2014 14:30:25 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38290#M28042 Retired Member 2014-09-23T14:30:25Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38291#M28043 <HTML><HEAD></HEAD><BODY><P>Assuming the detailed logs haven't been purged I would expect the figure for total bytes to be approximately the same in both databases (for the same query) - we have 8T of log storage with 60% allocated to the detailed logs so this shouldn't be an issue on a query only looking at the last 24 hours.</P><P></P><P>i.e.&nbsp; if there is a steady 1G of web-browsing in a 15 minute period, this should get rolled up to be 4G for the 1 hour summary, 96G for the daily summary etc - or am I misunderstanding how the summary works?</P><P></P><P>Even if some of the detailed logs had been purged I would then expect the figure for total bytes to be higher from the Summary database, not lower as we are seeing.</P></BODY></HTML> Tue, 23 Sep 2014 14:52:20 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38291#M28043 LCMember2860 2014-09-23T14:52:20Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38292#M28044 <HTML><HEAD></HEAD><BODY><P>Hi NOC,</P><P></P><P>Can you provide us disk utilization differences on your firewall for sumVsDetailed. That will be more clear.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 23 Sep 2014 16:54:49 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38292#M28044 hshah 2014-09-23T16:54:49Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38293#M28045 <HTML><HEAD></HEAD><BODY><P><IMG alt="Screen Shot 2014-09-24 at 12.45.34.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15723_Screen Shot 2014-09-24 at 12.45.34.png" style="height: 349px; width: 620px;" /></P></BODY></HTML> Wed, 24 Sep 2014 11:48:18 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38293#M28045 LCMember2860 2014-09-24T11:48:18Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38294#M28046 <HTML><HEAD></HEAD><BODY><P>Hi NOC,</P><P></P><P>Thanks alot for response, this explains allocation.</P><P></P><P>I would like to see data for comparison "<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Even if some of the detailed logs had been purged I would then expect the figure for total bytes to be higher from the Summary database, not lower as we are seeing.</SPAN>"</SPAN></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 24 Sep 2014 13:12:47 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38294#M28046 hshah 2014-09-24T13:12:47Z https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38295#M28047 <HTML><HEAD></HEAD><BODY><P>which data would you like to see?</P></BODY></HTML> Wed, 24 Sep 2014 16:12:02 GMT https://live.paloaltonetworks.com/t5/general-topics/big-disparity-between-detailed-and-summary-logs/m-p/38295#M28047 LCMember2860 2014-09-24T16:12:02Z