Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kitkat09811
New Contributor II

Created on ‎10-25-2024 08:18 AM

Need help creating a custom dataset for Fortianalyzer

FYI, im not a coder of sql expert by any means...

here is my ChatGPT generated Fortianalyzer SQL query:

-- Main query: Count occurrences of srcip, dstport, and policyid
SELECT
    srcip,
    dstport,
    policyid,
    COUNT(*) AS event_count
FROM $log  -- Replace with the appropriate log source
WHERE srcip IS NOT NULL AND dstport IS NOT NULL AND policyid IS NOT NULL
GROUP BY srcip, dstport, policyid
ORDER BY policyid, srcip;  -- Order by policyid and srcip

-- Summary query: Unique dstports per policyid
SELECT 
    CONCAT('PolicyID ', CAST(policyid AS STRING), ' unique dstports') AS srcip,
    STRING_AGG(DISTINCT dstport, ', ') AS unique_dstports,
    policyid,
    NULL AS event_count
FROM $log
WHERE srcip IS NOT NULL AND dstport IS NOT NULL AND policyid IS NOT NULL
GROUP BY policyid
ORDER BY policyid;

Wen i paste this code in the SQL query dataset window, I get this error and don't know how to fix this.

Validate Result
ERROR: 'group by' or 'order by' clause is expected in hcache.

Ultimately, i am trying to do a report that will output a list of policyID's and the unique destination ports being used on each policy in order to clamp down on the service ports required for each policy.

Labels:
462
0 Kudos
4 REPLIES 4
spoojary
Staff
Staff

Created on ‎10-25-2024 01:26 PM

Have you check this doc: https://docs.fortinet.com/document/fortianalyzer/7.6.0/administration-guide/495456/creating-datasets

Siddhanth Poojary
426
0 Kudos
kitkat09811
New Contributor II

Created on ‎10-28-2024 05:29 AM

i dont need a link to document which I already read. As i stated, im trying to get the SQL to give me the output as described

378
0 Kudos
JudiFulo
Staff
Staff

Created on ‎04-30-2025 02:05 AM

You need to add GROUP BY every field from SELECT which doesn't part of an aggregate function like count(). In your example the GROUP BY of summary query part is missing srcip, unique_dstports and event_count as well

32
farhanahmed
Staff
Staff

Created on ‎05-01-2025 05:12 PM Edited on ‎05-01-2025 05:13 PM

Hi,

 

It seems that you are trying to create a report for policy hit count including the dstport.
You can refer to the article below and may be modify it to add dstport as well.
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Policy-Hit-Count-Report/ta-p/316140

SELECT
policyid,
dstport,
count (*) AS policyhit
FROM
$log
WHERE
$filter
GROUP BY
policyid, dstport
ORDER BY
policyhit desc


But for the error you are receiving, @JudiFulo has explained how to fix it.

 

FA
19
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.