I came across a post (https://forum.fortinet.com/tm.aspx?m=127760) regarding a dataset for a report that is extremely close to what I'm looking for, but I haven't been able to change it in such a way as to meet the requirements from my management.   Management is asking for (a) the top 25 users by session, then (b) for each user their top 25 destinations by session.  Would anyone be able to help change the output's category summary into a detail summary of destinations, or is that more complex than I realize?  The dataset from the thread is below for convenience, including the replacement further down the source thread:

select user_src, catdesc, sum(requests) as requests from (###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, count(*) as requests from $log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and catdesc is not null and utmaction!='blocked' group by user_src, catdesc order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver>=52) and nullifna(catdesc) is not null and action!='blocked' group by user_src, catdesc order by requests desc)###) t group by user_src, catdesc order by requests desc