Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Taney
Advisor

Custom Report In R80.10 SmartEvent

I am trying to create a customized version of the canned "Threat Prevention" report that focuses only on a specific network group. However, I'm getting an odd result as soon as I try to add the "Source" filter to the "Global" Filter.

To accomplish this, I cloned the supplied "Threat Prevention" report and gave it a different name. Then, I edited the report, and began to modify the Global Filters to drill down on the specific traffic I wanted. The first filter limits the traffic to a single Gateway Cluster based on "Origin". This filter works as expected. With just this filter applied, I still see data appearing in the report.

Then, I try to add on another filter setting "Source" equals "<name of network group object>". As soon as I add this filter and apply, all the data from the report vanishes and is replace with "Query Failed". Oddly, I am able to remove the "Source" filter and instead add "src:<name of network group object>" to the search filter bar at the top and that works. I see exactly the data I want filtered in the report. 

However, we need this report scheduled and run daily. So, I don't want to have to rely on manual generation of this report. Does anyone have any idea what I might be doing wrong? We presently have this same report running in Smart Event NGSE using the same filter logic. Any assistance is greatly appreciated!

R80 CCSA / CCSE
5 Replies
PhoneBoy
Admin
Admin

I'm inclined to think this is a bug and you should open a TAC case.

Contact Support | Check Point Software 

0 Kudos
Kfir_Dadosh
Collaborator

Indeed seems like a bug.

You can try to work around it, by selecting "custom filter" in the filter field, and use the same query syntax as you would in the search bar, i.e. src:<group name>

Daniel_Taney
Advisor

Thanks for the feedback. I'll give this a shot today and will likely open a case with TAC regardless.

R80 CCSA / CCSE
0 Kudos
Kaland
Contributor

Hi, 

Did you open a TAC case on this issue? And if, did you get a answer for this? I'm experiencing the same thing on NGSE edition, and I can't upgrade to R80.10 because of a MultiDomain log limitation. 

When trying to add source field to any of my scheduled reports, no data is visible in the report. Data is visible in report preview, just not in the scheduled report 

0 Kudos
Daniel_Taney
Advisor

The short answer is that I never did open a TAC case for the issue. I just used the workaround suggested by creating the custom filter. 

R80 CCSA / CCSE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events