Statistics and Reports
Statistics is the page where you slice the DHCP event store without writing a query — pre-built tables on the Overview tab, and a full report builder on the Custom Reports tab.
Open it at /statistics. The header shows the page title, a description that changes with the tab, and (on Overview) the shared time range controls.
The page has two tabs:
- Overview — four pre-built statistics tables. The same shapes appear as widgets on the Dashboard (chapter 7), but here they have full pagination, sorting, and CSV export.
- Custom Reports — a list of saved reports, an editor to build new ones, and the results pane.
Overview Tab
Section titled “Overview Tab”Four tables laid out in a 2×2 grid, all sharing one time range.
The time range controls in the header drive every table. Picker presets, previous/next arrows, and a refresh button all behave the same as on other timed pages.
Top Active Clients
Section titled “Top Active Clients”Devices ordered by DHCP request count in the time range.
| Column | Description |
|---|---|
| MAC Address | Click the row’s external-link icon to open the device |
| Requests | Total DHCP requests from this MAC in the window |
| Transactions | Number of distinct DHCP transaction IDs |
| Vendor Class | Option 60 (DHCPv4) or Option 16 (DHCPv6) value |
| Hostname | Last-known hostname (Option 12 / FQDN option) |
Use this for “who is the chattiest device today?”. Normal lease cycles produce 1–4 requests per device per day; anything in the hundreds is worth a closer look. The external-link icon in the actions column carries you to Device Details (chapter 14) preserving the current time range.
Vendor Distribution
Section titled “Vendor Distribution”Vendor class breakdown by device count.
| Column | Description |
|---|---|
| Vendor Class | Free-text vendor identifier |
| Device Count | Number of distinct devices |
A first-look inventory tool. Spot unexpected vendors (a Linux distro on a Windows-only network, an embedded device class you didn’t authorise) and confirm policy compliance.
DHCP Pool Utilization
Section titled “DHCP Pool Utilization”Per-pool usage with full address counts.
| Column | Description |
|---|---|
| Protocol | DHCPv4 or DHCPv6 |
| Network | Pool network address |
| Subnet Mask | Subnet mask or prefix length |
| Unique IPs | Distinct IPs handed out in the window |
| Total Assignments | Total DHCP assignments observed |
| First IP / Last IP | Range bounds |
| Pool Size | Total addresses in the pool |
| Utilization % | Unique IPs / Pool Size |
The exact numerical view behind the Dashboard (chapter 7) pool-utilisation bar gauge. Use it when you need the actual counts for capacity planning or to confirm a pool exhaustion incident.
Request Frequency Distribution
Section titled “Request Frequency Distribution”A histogram of client request counts — how many devices fall into each bucket.
| Column | Description |
|---|---|
| Request Range | Bucket (1-9, 10-99, 100-999, 1000+) |
| Client Count | How many devices fall into that bucket |
Healthy DHCP fleets see most clients in the 1–9 range. A heavy tail in the 100–999 or 1000+ buckets is a flag for misconfiguration or attack.
Per-Table Controls
Section titled “Per-Table Controls”Each table has its own:
- Sort — click any column header to sort ascending/descending.
- Pagination — page size 10 / 25 / 50 / 100, defaults to 10 per table.
- CSV — download the table’s current data with column headers.
The shared Refresh button at the top of the page reloads all four tables at once.
Custom Reports Tab
Section titled “Custom Reports Tab”Save your own queries against the event store and rerun them on demand.
The tab opens to a list of all reports you have access to, organised into System and My Reports. From here you can run an existing report, create a new one, duplicate one as a starting point, or delete one you own.
Report List
Section titled “Report List”Three filters at the top:
- All Reports — every report you can see.
- System — reports shipped with the appliance. Read-only (run / duplicate only).
- My Reports — reports you created.
Each row is a card showing the report name, an optional description, the last-run timestamp, the run count, and an inline row of buttons (Run, Duplicate, Edit, Delete) that appears on hover. Clicking the card itself runs the report. The System badge is shown next to system-report names.
Running a Report
Section titled “Running a Report”Clicking a report row or its Run button opens the Report Results pane. The list is replaced by:
- The report name and description at the top, with a back arrow to return.
- Query info: query time in ms, the row count, and a “Results truncated” warning if the server cut off the result set.
- Action buttons: Bulk Actions (only on reports grouped by MAC), CSV Download, Refresh.
- The results table with sortable columns, pagination, and one row per group.
Bulk Actions Integration
Section titled “Bulk Actions Integration”When a report groups by MAC address, the results pane has a Bulk Actions button that promotes the report into a bulk action.
Clicking it:
- Converts the report’s filters into Bulk Action criteria.
- Navigates to Actions → Bulk Actions (chapter 15).
- Pre-fills Step 1 of the Bulk Action Wizard with the converted criteria.
This is the fastest way to action a list you assembled with the report builder. Pattern: write a report that finds “all unusually-active iPhone clients in the last 24h”, review the results, then promote to Bulk Actions → Monitor or Throttle.
The Bulk Actions button only appears for reports grouped by MAC because that is the only grouping that resolves to a unique device per row.
Refresh
Section titled “Refresh”Refresh re-executes the report query against the current event store. Reports are not cached — every run hits the database.
Export
Section titled “Export”The CSV download contains exactly the columns visible in the results, in the current sort order, named after the report and the date.
Report Editor
Section titled “Report Editor”The editor is a modal that builds the report definition step by step.
Open it from + New Report or by clicking Edit on one of your own reports. The form has four sections.
Basic Information
Section titled “Basic Information”- Report Name (required) — appears in the list and on dashboards.
- Description — one-line free text.
Query Configuration
Section titled “Query Configuration”Group By — what each row of the report represents.
| Option | Use |
|---|---|
| MAC Address | Per-device aggregation (unlocks Bulk Actions integration) |
| Client DUID (DHCPv6) | Per-DUID aggregation for IPv6 |
| Protocol | Two rows: DHCPv4 / DHCPv6 |
| Vendor Class | Per-vendor inventory |
| Relay IP (DHCPv4) | Per-relay traffic — useful for finding misbehaving network segments |
| DHCPv6 Relay Link | Per-IPv6-relay-link aggregation |
| DHCPv6 Relay Peer | Per-IPv6-relay-peer aggregation |
| Hostname | Per-hostname rollups |
| Matched Rule | Per-inspector-rule breakdown |
Metrics — what to compute per group. Each metric has three parts:
- Function — Count, Unique Count, Average, Maximum, Minimum.
- Field — the column to apply the function to (or “none” for Count).
- Alias — the column name in the result; also referenced by Order By.
| Function | Field option needed | Typical use |
|---|---|---|
| Count | None | ”How many requests?” |
| Unique Count | Yes | ”How many distinct IPs / hostnames / transactions?” |
| Average | A numeric field | Mean processing time, mean lease time |
| Maximum / Minimum | A numeric field | Outliers and floors |
You can add up to several metrics in one report; the + Add Metric button stacks more rows.
Order By — column alias to sort by. Defaults to request_count.
Direction — Descending (default) or Ascending.
Limit — maximum number of result rows (1 to 10,000). The server may further truncate large results and flag them.
Time Range
Section titled “Time Range”Relative (default) or Absolute:
- Relative — Last 1 hour / 6 hours / 12 hours / 24 hours / 7 days / 30 days. The window slides every time the report runs.
- Absolute — explicit From / To timestamps. The window is fixed.
Use Relative for “show me what’s happening now-ish” reports, Absolute for incident reports tied to a specific event.
Filters (Optional)
Section titled “Filters (Optional)”Free-text and numeric filters narrowing the query before grouping:
| Filter | Type |
|---|---|
| Vendor Class (contains) | Substring |
| Hostname (contains) | Substring |
| Relay IP | Exact / CIDR |
| Matched Rule (contains) | Substring |
| Min Request Count | Number |
| Max Request Count | Number |
All filters AND-combine. Leave blank to skip a filter.
Preview vs Save
Section titled “Preview vs Save”- Preview runs the report once without saving. The editor closes and the results pane opens. Use this to confirm a query is producing what you expect.
- Save Report writes the report to your saved list. It appears under My Reports.
You can later open a saved report from the list, click Edit, change the parameters, and Save again to update it in place.
Duplicating
Section titled “Duplicating”Clicking Duplicate on any report (system or user) opens the editor pre-filled with that report’s settings and a name like ”
Saved Reports vs Ad-hoc Preview
Section titled “Saved Reports vs Ad-hoc Preview”Two distinct modes:
| Mode | Saved | Re-runnable from list | Bulk-actionable | Editable later |
|---|---|---|---|---|
| Preview | No | No | No | Edit-and-save makes it a saved report |
| Saved (My Reports) | Yes | Yes | Yes (when grouped by MAC) | Yes |
| Saved (System) | Yes (read-only) | Yes | Yes (when grouped by MAC) | Duplicate first |
Use Preview for one-off questions (“how many DISCOVERs from this vendor last week?”). Save the ones you find yourself running more than once.
CSV Format
Section titled “CSV Format”The exported file has one row per result, comma-separated, with column headers matching the labels shown in the table. Strings containing commas or quotes are quoted and escaped per RFC 4180. The filename is <report-slug>-<YYYY-MM-DD>.csv. The export covers the full result set, not just the current page.
Where Reports Fit
Section titled “Where Reports Fit”The Statistics page sits between the live Dashboard (chapter 7) and the long-horizon Weekly Report (chapter 18). Use Statistics when:
- You need a tabular answer to a specific question.
- You want to pivot the data along a dimension the dashboard widgets don’t expose.
- You want to feed a list of devices into Bulk Actions (chapter 15).
- You need a repeatable, exportable report for compliance.
For pre-built KPIs and trends use the Dashboard (chapter 7). For attack-and-anomaly investigation use Device Analysis (chapter 17) and Anomaly Detection (chapter 24). For the 7-day rollup use Weekly Report (chapter 18).
Related Pages
Section titled “Related Pages”- Dashboard (chapter 7) — the live, widget-driven view of the same metrics.
- Weekly Report (chapter 18) — weekly deterministic summaries.
- Actions → Bulk Actions (chapter 15) — the target of the Bulk Actions promotion button.
- Device History (chapter 13) — per-device historical browsing complementary to Statistics’ aggregations.
- Firewall Manager (chapter 20) — set sizes that drive the pool-utilisation numbers.
Troubleshooting
Section titled “Troubleshooting”A report says “Results truncated”. The server cut the result set at a safety limit to protect the database. Tighten the time range, raise the threshold filters, or split the report by another grouping dimension.
The Bulk Actions button is missing on the results page. The report’s Group By is not MAC Address. Only MAC-grouped reports can be promoted to a Bulk Action since each row must map to a unique device.
My report runs but returns 0 rows. Check the time range first — Relative windows on a quiet network can be too short. Then check the filters — Min Request Count is a common cause: setting it above your typical traffic floor zeroes the result set.
Saved a report and now I can’t find it. Make sure the My Reports or All Reports tab is selected, not System. The list is per-user; another operator’s saved reports are not visible.
Edit is missing on a report I want to change. That report has a “System” badge — it is shipped with the appliance and is read-only. Use Duplicate to fork a writable copy.