Hello,
I had the one more unpleasant surprise after upgrading the FortiAnalyzer to 7.4.5: several datasets that worked perfectly in 7.0.x stopped working with strange syntax errors, not being valid anymore. Also other datasets which were ok before, now need SQL code adjustments because hcahe requirements are very strict. Also, apparently only temporary tables are permitted, which is a change that is impossible to understand for me, and I had quite a lot of datasets that prepared tables on disk which were used by subsequent reports refering such persistent tables. No more permitted, but why?
This is an example of dataset which is no loger valid. The goal is to drill down into the DNS queries, listing the domains and query counts per each hour interval.
DROP table if exists time_intervals;
CREATE TEMP TABLE time_intervals AS
SELECT generate_series(
extract(epoch FROM (now() - interval '7 days'))::bigint,
extract(epoch FROM now())::bigint,
3600
) AS interval_start;
select cnt,from_itime(ts) as ts,dom,cnt from (
SELECT
t.interval_start as ts,
q.qname as dom,
COUNT(r.*) AS cnt
FROM
time_intervals t
LEFT JOIN
$log r ON r.dtime >= t.interval_start
AND r.dtime < t.interval_start + 3600
LEFT JOIN
(SELECT DISTINCT qname FROM $log) q ON r.qname = q.qname
GROUP BY
t.interval_start, q.qname
ORDER BY
t.interval_start, q.qname) tt where cnt>100 group by ts,dom,cnt order by ts asc, cnt desc;
And the report works in 7.0.7.
Can you please share the dataset name?
Is it a default dataset provided by the system, or is it a custom one you created?
It appears to be custom. Could you clarify the specific issue or if possible provide a screenshot of report that you noticed in version 7.4.5?
Hello Rosa Technocrat, and thank you for your interest in this problem.
The first error when I validate the exact same SQL code is "ERROR: 'group by' or 'order by' clause is expected in hcache."
Then I tried the following code
DROP table if exists time_intervals;
CREATE TEMP TABLE time_intervals AS
SELECT generate_series(
extract(epoch FROM (now() - interval '7 days'))::bigint,
extract(epoch FROM now())::bigint,
3600
) AS interval_start;
select cnt,from_itime(ts) as ts,dom,cnt from (
SELECT
t.interval_start as ts,
q.qname as dom,
COUNT(r.*) AS cnt
FROM
time_intervals t where $filter group by ts,dom order by ts asc
LEFT JOIN
$log r ON r.dtime >= t.interval_start
AND r.dtime < t.interval_start + 3600
where $filter
group by r.dtime order by r.dtime
LEFT JOIN
###(SELECT qname FROM $log where $filter group by qname order by qname)### q ON r.qname = q.qname
GROUP BY
t.interval_start, q.qname order by t.interval_start
ORDER BY
t.interval_start, q.qname) tt where $filter and cnt>100 group by ts,dom,cnt order by ts asc, cnt desc;
For this I get Validation=OK but syntax error on LEFT JOIN.
With the following SQL code I have VALIDATION OK, the dataset runs fine both in the GUI test run and from CLI exec sql-query-dataset, but I still have 2 problems: 1) impossible to build a DrillDown-type Chart because the Aggregation Column offers an empty column list, and 2) even with a normal Table-type chart the final report is empty.
DROP table if exists time_intervals;
CREATE TEMP TABLE time_intervals AS
SELECT generate_series(
extract(epoch FROM (now() - interval '7 days'))::bigint,
extract(epoch FROM now())::bigint,
3600
) AS interval_start;
DROP table if exists queries;
CREATE TEMP TABLE queries AS
SELECT dtime as dt, qname as dom from $log where $filter
group by dt,dom order by dt;
select from_dtime(ts) as ts,dom,scnt from (
select ts,dom,sum(cnt) as scnt from (
select ts,dt,dif,dom,count(*) as cnt from ###(
select ins.tis as ts,q.dt as dt,q.dt-ins.tis as dif,q.dom as dom from queries q, (select interval_start as tis from time_intervals) ins where tis<=q.dt and q.dt<=tis+3600
group by ins.tis,q.dt,dif,q.dom order by ins.tis,q.dt asc)### zzz
group by ts,dt,dif,dom order by ts,dt,dif) zzzz
group by ts,dom,cnt order by ts asc,cnt desc ) zzzzz where scnt>1000 order by ts asc,scnt desc
In the meantime, something deteriorated, because even if the code is unchanged, I get validation error
MERGE: ERROR: relation "queries" does not exist LINE 2: ...,q.dt as dt,q.dt-ins.tis as dif,q.dom as dom from queries q,... ^.
Still, the sql-query-dataset runs fine:
ts | dom | scnt
---------------------+-------------------------------+------
2024-11-27 16:27:13 | cdn.samsungcloudsolution.com | 2989
2024-11-27 16:27:13 | pool.ntp.org | 2156
2024-11-27 16:27:13 | time.samsungcloudsolution.com | 1398
2024-11-27 16:27:13 | connectivitycheck.gstatic.com | 1305
2024-11-27 17:27:13 | cdn.samsungcloudsolution.com | 2927
2024-11-27 17:27:13 | pool.ntp.org | 2141
2024-11-27 17:27:13 | time.samsungcloudsolution.com | 1429
2024-11-27 18:27:13 | cdn.samsungcloudsolution.com | 2890
2024-11-27 18:27:13 | pool.ntp.org | 2203
2024-11-27 18:27:13 | time.samsungcloudsolution.com | 1413
2024-11-27 19:27:13 | cdn.samsungcloudsolution.com | 2991
2024-11-27 19:27:13 | pool.ntp.org | 2182
2024-11-27 19:27:13 | time.samsungcloudsolution.com | 1456
2024-11-27 20:27:13 | cdn.samsungcloudsolution.com | 2695
2024-11-27 20:27:13 | pool.ntp.org | 1804
2024-11-27 20:27:13 | time.samsungcloudsolution.com | 1266
2024-11-27 21:27:13 | cdn.samsungcloudsolution.com | 2300
2024-11-27 21:27:13 | pool.ntp.org | 1542
2024-11-27 21:27:13 | time.samsungcloudsolution.com | 1051
2024-11-27 22:27:13 | cdn.samsungcloudsolution.com | 2484
2024-11-27 22:27:13 | pool.ntp.org | 1603
2024-11-27 22:27:13 | time.samsungcloudsolution.com | 1071
2024-11-27 23:27:13 | cdn.samsungcloudsolution.com | 2477
2024-11-27 23:27:13 | pool.ntp.org | 1531
2024-11-27 23:27:13 | time.samsungcloudsolution.com | 1040
2024-11-28 00:27:13 | cdn.samsungcloudsolution.com | 2437
2024-11-28 00:27:13 | pool.ntp.org | 1533
2024-11-28 00:27:13 | time.samsungcloudsolution.com | 1062
2024-11-28 01:27:13 | cdn.samsungcloudsolution.com | 2478
2024-11-28 01:27:13 | pool.ntp.org | 1591
2024-11-28 01:27:13 | time.samsungcloudsolution.com | 1081
2024-11-28 02:27:13 | cdn.samsungcloudsolution.com | 2411
2024-11-28 02:27:13 | pool.ntp.org | 1574
2024-11-28 02:27:13 | time.samsungcloudsolution.com | 1070
In the meantime something deteriorated inside the box, because I now receive validation error
MERGE: ERROR: relation "queries" does not exist LINE 2: ...,q.dt as dt,q.dt-ins.tis as dif,q.dom as dom from queries q,... ^
but the dataset still runs fine:
ts | dom | scnt
---------------------+-------------------------------+------
2024-11-27 16:27:13 | cdn.samsungcloudsolution.com | 2989
2024-11-27 16:27:13 | pool.ntp.org | 2156
2024-11-27 16:27:13 | time.samsungcloudsolution.com | 1398
2024-11-27 16:27:13 | connectivitycheck.gstatic.com | 1305
2024-11-27 17:27:13 | cdn.samsungcloudsolution.com | 2927
2024-11-27 17:27:13 | pool.ntp.org | 2141
2024-11-27 17:27:13 | time.samsungcloudsolution.com | 1429
2024-11-27 18:27:13 | cdn.samsungcloudsolution.com | 2890
2024-11-27 18:27:13 | pool.ntp.org | 2203
2024-11-27 18:27:13 | time.samsungcloudsolution.com | 1413
2024-11-27 19:27:13 | cdn.samsungcloudsolution.com | 2991
2024-11-27 19:27:13 | pool.ntp.org | 2182
2024-11-27 19:27:13 | time.samsungcloudsolution.com | 1456
2024-11-27 20:27:13 | cdn.samsungcloudsolution.com | 2695
2024-11-27 20:27:13 | pool.ntp.org | 1804
2024-11-27 20:27:13 | time.samsungcloudsolution.com | 1266
2024-11-27 21:27:13 | cdn.samsungcloudsolution.com | 2300
2024-11-27 21:27:13 | pool.ntp.org | 1542
2024-11-27 21:27:13 | time.samsungcloudsolution.com | 1051
2024-11-27 22:27:13 | cdn.samsungcloudsolution.com | 2484
2024-11-27 22:27:13 | pool.ntp.org | 1603
2024-11-27 22:27:13 | time.samsungcloudsolution.com | 1071
2024-11-27 23:27:13 | cdn.samsungcloudsolution.com | 2477
2024-11-27 23:27:13 | pool.ntp.org | 1531
2024-11-27 23:27:13 | time.samsungcloudsolution.com | 1040
2024-11-28 00:27:13 | cdn.samsungcloudsolution.com | 2437
2024-11-28 00:27:13 | pool.ntp.org | 1533
2024-11-28 00:27:13 | time.samsungcloudsolution.com | 1062
2024-11-28 01:27:13 | cdn.samsungcloudsolution.com | 2478
2024-11-28 01:27:13 | pool.ntp.org | 1591
2024-11-28 01:27:13 | time.samsungcloudsolution.com | 1081
2024-11-28 02:27:13 | cdn.samsungcloudsolution.com | 2411
2024-11-28 02:27:13 | pool.ntp.org | 1574
2024-11-28 02:27:13 | time.samsungcloudsolution.com | 1070
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1748 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.