Observability
  • Log Service
    • Overview
    • Real-time Logs
      • Real-time Logs Overview
      • Push to Tencent Cloud CLS
      • Push to AWS S3-Compatible COS
      • Push to HTTP Server
    • Offline Logs
    • Related References
      • Field description
        • L7 Access Logs
        • L4 Proxy Logs
        • Edge Function Running Logs
      • Real-Time Log Push Filter Conditions
      • Custom Log Push Fields
      • Customizing Log Output Formats
  • Data Analysis
    • Overview
    • Analytics
    • Web Security Analysis
    • Traffic Analysis
    • Cache Analysis
    • Security Analysis
      • Site Security Overview
      • Web Security Analysis
    • L4 Proxy
    • DNS Resolution
    • Related References
      • Sampling Statistics
      • How to use filter condition
      • How to Modify Query Time Range
      • How to Export Statistical Data and Reports
  • AlarmService
    • Custom Statistical Metrics

How to use filter condition

EdgeOne data analysis supports two types of filtering conditions:
1. Time filtering condition (required): View the data within the selected time range, for details, please refer to How to modify the query time range.
2. Other filtering conditions: Customize the data filtering according to the filtering options supported by each metric. The following is a detailed explanation of this part.

Supported Filtering Options

Analytics

Filter Option Name
API Parameter Name
Description
Example Value/Enumeration Value
Applicable to Metric List
Site
ZoneId
EdgeOne site.
zone-3eoo0chifzcs
All metrics
Content identifier
ZoneId
Content identifier. The feature is in beta test. If needed, contact us.
eocontent-3edho0x9tmea
L7 client traffic, L7 client bandwidth, L7 client requests
Host
domain
Client-requested Host.
When the domain is onboarded via a wildcard, the recorded value is the wildcard domain itself, not the specific subdomain.
www.example.com or *.example.com
Country/Region
country
Country or region from which the client request originates, following the ISO 3166-1 alpha-2 standard.
CN
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Status codes
statusCode
HTTP status code returned by EdgeOne to the client. Data for up to the last 30 days can be queried.
1XX: 1xx status codes;
2XX: 2xx status codes;
3XX: 3xx status codes;
4XX: 4xx status codes;
5XX: 5xx status codes;
Integers within the range [0,600).
L7 client traffic, L7 client bandwidth, L7 client requests
HTTP protocol
protocol
HTTP version used by client request.
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3: HTTP/3.0 (QUIC protocol)
WebSocket:WebSocket Over HTTP/1.1
L7 client traffic, L7 client bandwidth, L7 client requests
ISP
isp
ISP of the client IP. Only available for data from the mainland China service region. Data for up to the last 30 days can be queried.
2: CTCC;
26: CUCC;
1046: CMCC;
3947: China Tietong;
38: China Education Network;
43: Great Wall Broadband;
0: Other ISP.
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Province
province
Province of the client IP. Only available for data from the mainland China service region. Data for up to the last 30 days can be queried.
Province codes refer to Mapping Table of Provinces Within the Chinese Mainland, example value: 22.
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
TLS version
tlsVersion
TLS protocol version used by client request. Data for up to the last 30 days can be queried.
TLS1.0
TLS1.1
TLS1.2
TLS1.3
L7 client traffic, L7 client bandwidth, L7 client requests
​​URL path​​
url
The URL path of the client request, excluding query parameters. Data for up to the last 30 days can be queried.
/content or /content/test.jpg
L7 client traffic, L7 client bandwidth, L7 client requests
​​Referer​​
referer
Referer header value of client request, excluding query parameters. Data for up to the last 30 days can be queried.
http://www.example.com/
L7 client traffic, L7 client bandwidth, L7 client requests
Resource type
resourceType
Resource type of client request, i.e. the suffix of requested file. Data for up to the last 30 days can be queried.
.txt or .jpg
L7 client traffic, L7 client bandwidth, L7 client requests
Device type
deviceType
The device type of client requests, extracted and categorized from User-Agent. Data for up to the last 30 days can be queried.
TV: TV
Tablet: Tablet
Mobile: Mobile phone
Desktop: Computer
Other: Other
L7 client traffic, L7 client bandwidth, L7 client requests
Browser type
browserType
The browser type of client requests, extracted and categorized from User-Agent. Data for up to the last 30 days can be queried.
Firefox: Firefox browser;
Chrome: Chrome browser;
Safari: Safari browser;
Other: Other browser types;
Bot: search engine crawler;
MicrosoftEdge: Microsoft Edge browser;
IE: IE browser;
Opera: Opera browser;
QQBrowser: QQ browser;
LBBrowser: LB browser;
MaxthonBrowser: Maxthon browser;
SouGouBrowser: Sogou browser;
BIDUBrowser: Baidu browser;
TaoBrowser: Tao browser;
UBrowser: UC Browser.
L7 client traffic, L7 client bandwidth, L7 client requests
Client operating system
operatingSystemType
The operating system type used by client requests, extracted and categorized from User-Agent. Data for up to the last 30 days can be queried.
Linux: Linux operating system;
MacOS: MacOS operating system;
Android: Android operating system;
IOS: IOS operating system;
Windows: Windows operating system;
NetBSD:NetBSD;
ChromiumOS:ChromiumOS;
Bot: search engine crawler;
Other: other types of operating systems;
L7 client traffic, L7 client bandwidth, L7 client requests
IP version
ipVersion
IP address version of client requests. Data for up to the last 30 days can be queried.
4:IPv4;
6:IPv6.
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
​​HTTP/HTTPS​​
socket
HTTP protocol type used by client request.
HTTP
HTTPS
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Cache status
cacheType
Cache status of client request.
hit: The request hits EdgeOne node cache, and resources are provided by node cache. A partial cache hit for resources is also recorded as a hit.
miss: The request does not hit EdgeOne node cache, and resources are provided by the origin server.
dynamic: The requested resources cannot be cached/unconfigured to be cached by the node, and resources are provided by the origin server.
other: Unrecognizable cache status. Requests responded by Edge Functions will be recorded as other.
L7 client traffic, L7 client bandwidth, L7 client requests
Mitigated by EdgeOne Web Security or not
mitigatedByWebSecurity
Indicates whether the request was mitigated by the EdgeOne Web Security module. Any action of "deny" or "challenge" is regarded as mitigated.
yes: Requests that have been blocked or challenged by the EdgeOne Web Security module, excluding requests that did not match any security rules and those whose final action was "Monitor" or "Allow".
no: Requests that, after passing through protection, are ultimately served by EdgeOne or the origin server.
L7 client traffic, L7 client bandwidth, L7 client requests
Client IP
clientIp
Client IP address. Data for up to the last 30 days can be queried. Supports multiple inputs when the operator is equal/not equal.
​​1.1.1.1
L7 client traffic, L7 client bandwidth, L7 client requests, L7 security policy hits
​​User-Agent​​
userAgent
User-Agent header value of client request. Data for up to the last 30 days can be queried.
Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
L7 client traffic, L7 client bandwidth, L7 client requests
Layer 4 proxy forwarding rules
ruleId
Layer 4 proxy instance forwarding rule.
rule-3ddvs7nn3xap
Layer 4 proxy instance
proxyId
Layer 4 proxy instance.
sid-3ddun6tk0l9k
Edge Function name
-
Unique identifier of the EdgeOne Edge Function instance.
test1-zone-3e25s02xxbxe-1257620286
Edge Function execution result
-
Edge Function execution result.
Successed.
Failed.
DNS return code
-
DNS response status code.
NOError: No error, successful response.
NXDomain: Non-existent record.
NotImp: Unrealized, the DNS server does not support the requested query type. For supported query types, see DNS record type introduction.
Refused: Deny execution. The DNS server denies the specified operation due to policy.
DNS resolution count
DNS record
-
DNS record type.
DNS resolution count
DNS region
-
Continent from which the client request originates.
Asia
Europe
Africa
Oceania
Americas
DNS resolution count
Applied action
-
The action taken on the request by the Web Security rule.
Monitor
L7 security policy hits
Rule ID
-
Web Security rule ID that the request matched.
2186065971
L7 security policy hits
DDoS protection instance
-
DDoS protection instance.

EdgeOne Shield space
-
EdgeOne Shield space.


Web Security Analysis

Supports filtering based on request features, rule features, various detailed Web protection rules, and Bot management policy features. The specific filtering options are described as follows:
Site: EdgeOne site.
Client IP: View only the request data from the specified client IP. Supports entering multiple values separated by carriage returns.
Client IP Region: The client IP comes from the specified country or region.
Client IP (prioritizing XFF header): View only the request data from the specified client IP (prioritizing XFF header). Supports entering multiple values separated by carriage returns.
Client IP Region (prioritizing XFF header): The client IP (prioritizing XFF header) comes from the specified country or region.
User-Agent: The User-Agent header information carried in the client request. Supports entering multiple values separated by carriage returns.
Request URL: The URL in the client request (excluding Host and only including the request path and query parameters). Supports entering multiple values separated by carriage returns.
Hostname: The host of the client request. Supports entering multiple values separated by carriage returns.
Referer: The referer carried in the client request. Supports entering multiple values separated by carriage returns.
Applied Action: The final disposal result of the request by the Web protection module. For details, see Action.The disposition result "Unknown" signifies that no predefined disposal methods have been executed. It serves solely as a fallback classification for data statistical processes and can be disregarded in routine analysis.
Request Path (Path): The URL path of the client request (HTTP request path, excluding Host and query parameters). Supports entering multiple values separated by carriage returns.
Request JA3 Fingerprint: JA3 fingerprint calculated based on the relevant parameters for the TLS handshake request of the client. Only supports the data of the domain names with Bot Management enabled.
Request Method (Method): The HTTP method of the client request.
Request ID: Unique identifier of a request, that is, the Request ID of the default block page, {{ EO_REQ_ID }} of the custom response page, EO-LOG-UUID in the EdgeOne default response header, and RequestID in the L7 access logs.
Rule Category: View only the request data that hits the specified category of Web protection rules.
Rule ID: View only the request data that hits the specified Web protection rule ID.

Relationship Between Multiple Filtering Conditions

The relationship between multiple filtering conditions is "And", and the relationship between multiple values within the same filtering condition is "Or".
For example, adding filtering conditions Country/Region=Singapore; Thailand and Status Code=404 means querying data that meets the access from Singapore or Thailand clients and the edge response status code is 404.

Supported Operators

Operator
Description
Equal
Query data with the filter item equal to any specified value
Does not equal
Query data with the filter item not equal to any specified value
Contain
Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query data with URL containing /example)
Does not contain
Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query data with URL not containing /example)
Starts with
Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with
Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with
Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with
Query data with a field such as URL, Referer, and resource type not ending with a specified string