big disparity between Detailed and Summary logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

big disparity between Detailed and Summary logs

L2 Linker

I ran 2 Panorama reports, using the detailed and summary databases, on application usage over the last 24 hours (simple reports, just top Applications ranked by bytes, no filters)

the results were completely different e.g the figures for web-browsing:

Summary: 720G

Detailed: 3.3T

The detailed figure looks correct, why is the summary figure so out of line?

Obviously we have quite a lot of traffic and logs and running reports using the detailed database takes forever, I'd prefer to use the summary database but the figures are completely wrong.

7 REPLIES 7

L6 Presenter

Hi NOC,

Summary and Detailed logs are totally different parameters.

The entries under the detailed traffic logs are purged at a faster rate than the summary traffic logs. The hourly, daily, and weekly summaries are roll ups of 15 minute summaries on an hourly basis and a roll up of the hourly summaries on a daily basis as well as a roll up of the daily summaries on a weekly basis. So as we continue to roll up data the results can become summarized even further. This can lead to greater discrepancies between summarized databases and non-summarized databases.


You can also refer following threads for more details.

Traffic summary databese

Custom reports for Summary vs Detailed logs database

Let me know if this helps.

Regards,

Hardik Shah

L6 Presenter

Assuming the detailed logs haven't been purged I would expect the figure for total bytes to be approximately the same in both databases (for the same query) - we have 8T of log storage with 60% allocated to the detailed logs so this shouldn't be an issue on a query only looking at the last 24 hours.

i.e.  if there is a steady 1G of web-browsing in a 15 minute period, this should get rolled up to be 4G for the 1 hour summary, 96G for the daily summary etc - or am I misunderstanding how the summary works?

Even if some of the detailed logs had been purged I would then expect the figure for total bytes to be higher from the Summary database, not lower as we are seeing.

Hi NOC,

Can you provide us disk utilization differences on your firewall for sumVsDetailed. That will be more clear.

Regards,

Hardik Shah

Screen Shot 2014-09-24 at 12.45.34.png

Hi NOC,

Thanks alot for response, this explains allocation.

I would like to see data for comparison " Even if some of the detailed logs had been purged I would then expect the figure for total bytes to be higher from the Summary database, not lower as we are seeing."

Regards,

Hardik Shah

which data would you like to see?

  • 4662 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!