Observability

Log Service
- Overview
- Real-time Logs
  - Real-time Logs Overview
  - Push to Tencent Cloud CLS
  - Push to AWS S3-Compatible COS
  - Push to HTTP Server
- Offline Logs
- Related References
  - Field description
    - L7 Access Logs
    - L4 Proxy Logs
  - Real-Time Log Push Filter Conditions
  - Custom Log Push Fields
Data Analysis
- Overview
- Traffic Analysis
- Cache Analysis
- Security Analysis
  - Site Security Overview
  - Web Security Analysis
- L4 Proxy
- DNS Resolution
- Related References
  - How to use filter condition
  - How to Modify Query Time Range
  - How to Export Statistical Data and Reports

How to use filter condition

EdgeOne data analysis supports two types of filtering conditions:
1. Time filtering condition (required): View the data within the selected time range, for details, please refer to How to modify the query time range.
2. Other filtering conditions: Customize the data filtering according to the filtering options supported by each page. The following is a detailed explanation of this part.
Supported Operators
Operator
Description
Equal
Query data with the filter item equal to any specified value
Does not equal
Query data with the filter item not equal to any specified value
Contain
Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query    data with URL containing /example  )
Does not contain
Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query     data with URL not containing /example  )
Starts with
Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with
Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with
Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with
Query data with a field such as URL, Referer, and resource type not ending with a specified string
Relationship between multiple filtering conditions
The relationship between multiple filtering conditions is "And", and the relationship between multiple values within the same filtering condition is "Or".
For example, adding filtering conditions Country/Region=Singapore; Thailand and Status Code=404 means querying data that meets the access from Singapore or Thailand clients and the edge response status code is 404.
Supported Filtering Options
Metric Analysis
Site:  EdgeOne site.
Host:  The host of the client request.
Country/Region:  The country or region where the client request comes from.
Status Codes:  The status codes used by EdgeOne for responding to the client.
HTTP Protocol Version:  The HTTP version used by the client request. Values include:
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3.0 (QUIC protocol)
WebSocket Over HTTP/1.1 (WebSocket protocol initiated by HTTP/1.1)
ISP:  The ISP where the client request comes from. Supports only the data of sites in the Chinese mainland availability zone.
Province : The province where the client request comes from. Supports only the data of sites in the Chinese mainland availability zone.
TLS Version:  The TLS protocol version used by the client request. Values include:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
URL:  The URL path (path) of the client request. Supports entering multiple values separated by semicolons, such as /example1;/example2.
Referer:  The referer of the client request. Supports entering multiple values separated by semicolons.
Resource Type:  The resource type requested by the client. Supports entering multiple values separated by semicolons, such as .txt;.jpg.
Device Type:  The device type used by the client request, parsed from the User-Agent in the HTTP request header. Values include:
TV: televisions
Tablet: tablet computer
Mobile: mobile phone
Desktop: computer
Other: others
Empty: empty
Browser Type:  The browser type used by the client request. Values include:
Firefox
Chrome
Safari
Opera
QQBrowser
LBBrowser
MaxthonBrowser
SouGouBrowser
BIDUBrowser
TaoBrowser
UBrowser
IE
Microsoft Edge
Bot
Empty
Other
System Type:  The operating system type used by the client request. Values include:
Empty
Android
IOS
MacOS
Linux
Windows
ChromiumOS
NetBSD
Bot
Other
IP Version:  The IP address version used by the client request. Values include:
IPv4
IPv6
HTTP/HTTPS:  The HTTP protocol type used by the client request. Values include:
HTTP
HTTPS
Cache Status:  The cache status for the client request. Values include:
hit: The request hits the EdgeOne node cache, and the resource is provided by the node cache. Resources that partially hit the cache are also recorded as hit.
miss: The request does not hit the EdgeOne node cache, and the resource is provided by the origin server.
dynamic: The resource requested cannot be cached or is not configured to be cached by the node. The resource is provided by the origin server.
other: Unrecognizable cache status. Requests responded to by edge functions are recorded as other.
L4 Proxy Forwarding Rules:  The specific forwarding rules for the L4 proxy instance.
L4 Proxy Instance:  The name of the L4 proxy instance.
DNS Return Code:  The DNS resolution response status code. Values include:
NOError: Successful response with no errors.
NXDomain: Non-existent record.
NotImp: Not implemented. The DNS server does not support the request query type. For implemented request query types, see Record Type.
Refused: Refused. The DNS server refuses to perform the specified operation due to policies.
DNS Record:  The DNS record type. For values, see Record Type.
DNS Region:  The continent where the client request comes from. Currently supports the following options:
Asia
Europe
Africa
Oceania
America
Applied Action:  View only the requests that hit the security rules and apply the specified action (excluding release or exception rules). Values include:
Monitor
Rule ID:  View only the request data that hits the specified Web protection rule ID.
Request Path:  View only the request data for accessing the specified request path.
Client IP: View only the request data from the specified client IP. Supports entering multiple values separated by carriage returns when the operator is Equal or Does not equal.
Anti-DDoS Instance:  View the data of the specified Anti-DDoS (Enterprise) instance.
EdgeOne Shield Space:  View the data of the specified EdgeOne Shield space.
Note
When the metrics L7 Access Traffic and L7 Access Requests are selected, the filtering options including L4 Proxy Forwarding Rules, L4 Proxy Instance, DNS Return Code, DNS Record, DNS Region, Applied Action, Rule ID,Anti-DDoS Instance, and EdgeOne Shield Space are not supported.
When the metric L7 Access Bandwidth is selected, only the filtering options including Country/Region, Host, HTTP/HTTPS, and HTTP Protocol Version are supported.
Web Security Analysis
Supports filtering based on request features, rule features, various detailed Web protection rules, and Bot management policy features. The specific filtering options are described as follows:
Site:  EdgeOne site.
Client IP:  View only the request data from the specified client IP. Supports entering multiple values separated by carriage returns.
Client IP Region:  The client IP comes from the specified country or region.
Client IP (prioritizing XFF header):  View only the request data from the specified client IP (prioritizing XFF header). Supports entering multiple values separated by carriage returns.
Client IP Region (prioritizing XFF header):  The client IP (prioritizing XFF header) comes from the specified country or region.
User-Agent:  The User-Agent header information carried in the client request. Supports entering multiple values separated by carriage returns.
Request URL:  The URL in the client request (excluding Host and only including the request path and query parameters). Supports entering multiple values separated by carriage returns.
Hostname:  The host of the client request. Supports entering multiple values separated by carriage returns.
Referer:  The referer carried in the client request. Supports entering multiple values separated by carriage returns.
Applied Action:  The final disposal result of the request by the Web protection module. For details, see Action.
Request Path (Path):  The URL path of the client request (HTTP request path, excluding Host and query parameters). Supports entering multiple values separated by carriage returns.
Request JA3 Fingerprint:  JA3 fingerprint calculated based on the relevant parameters for the TLS handshake request of the client. Only supports the data of the domain names with Bot Management enabled.
Request Method (Method):  The HTTP method of the client request.
Request ID:  Unique identifier of a request, that is, the  Request ID  of the default block page,  {{ EO_REQ_ID }}  of the custom response page,  EO-LOG-UUID  in the EdgeOne default response header , and  RequestID  in the L7 access logs.
Rule Category:  View only the request data that hits the specified category of Web protection rules.
Rule ID:  View only the request data that hits the specified Web protection rule ID.

Supported Operators
Relationship between multiple filtering conditions
Supported Filtering Options
- Metric Analysis
- Web Security Analysis

Operator	Description
Equal	Query data with the filter item equal to any specified value
Does not equal	Query data with the filter item not equal to any specified value
Contain	Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query `data with URL containing /example` )
Does not contain	Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query `data with URL not containing /example` )
Starts with	Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with	Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with	Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with	Query data with a field such as URL, Referer, and resource type not ending with a specified string