Observability

Log Service
- Overview
- Real-time Logs
  - Real-time Logs Overview
  - Push to Tencent Cloud CLS
  - Push to AWS S3-Compatible COS
  - Push to HTTP Server
- Offline Logs
- Related References
  - Field description
    - L7 Access Logs
    - L4 Proxy Logs
    - Edge Function Running Logs
  - Real-Time Log Push Filter Conditions
  - Custom Log Push Fields
  - Customizing Log Output Formats
Data Analysis
- Overview
- Analytics
- Web Security Analysis
- Traffic Analysis
- Cache Analysis
- Security Analysis
  - Site Security Overview
  - Web Security Analysis
- L4 Proxy
- DNS Resolution
- Related References
  - Sampling Statistics
  - How to use filter condition
  - How to Modify Query Time Range
  - How to Export Statistical Data and Reports
AlarmService
- Custom Statistical Metrics

How to use filter condition

EdgeOne data analysis supports two types of filtering conditions:
1. Time filtering condition (required): View the data within the selected time range, for details, please refer to How to modify the query time range.
2. Other filtering conditions: Customize the data filtering according to the filtering options supported by each metric. The following is a detailed explanation of this part.
Supported Filtering Options
Analytics
Filter Option Name
API Parameter Name
Description
Example Value/Enumeration Value
Applicable to Metric List
Site
ZoneId
EdgeOne site.
zone-3eoo0chifzcs
All metrics
Content identifier
ZoneId
﻿Content identifier. The feature is in beta test. If needed, contact us.
eocontent-3edho0x9tmea
L7 client traffic, L7 client bandwidth, L7 client requests
Host
domain
Client-requested Host.
When the domain is onboarded via a wildcard, the recorded value is the wildcard domain itself, not the specific subdomain.
www.example.com or *.example.com
﻿Domain services relevant metrics, Edge function relevant metrics﻿
Country/Region
country
Country or region from which the client request originates, following the ISO 3166-1 alpha-2 standard.
CN
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Status codes
statusCode
HTTP status code returned by EdgeOne to the client. Data for up to the last 30 days can be queried.
1XX: 1xx status codes;
2XX: 2xx status codes;
3XX: 3xx status codes;
4XX: 4xx status codes;
5XX: 5xx status codes;
Integers within the range [0,600).
L7 client traffic, L7 client bandwidth, L7 client requests
HTTP protocol
protocol
HTTP version used by client request.
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3: HTTP/3.0 (QUIC protocol)
WebSocket:WebSocket Over HTTP/1.1
L7 client traffic, L7 client bandwidth, L7 client requests
ISP
isp
ISP of the client IP. Only available for data from the mainland China service region. Data for up to the last 30 days can be queried.
2: CTCC;
26: CUCC;
1046: CMCC;
3947: China Tietong;
38: China Education Network;
43: Great Wall Broadband;
0: Other ISP.
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Province
province
Province of the client IP. Only available for data from the mainland China service region. Data for up to the last 30 days can be queried.
Province codes refer to Mapping Table of Provinces Within the Chinese Mainland, example value: 22.
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
TLS version
tlsVersion
TLS protocol version used by client request. Data for up to the last 30 days can be queried.
TLS1.0
TLS1.1
TLS1.2
TLS1.3
L7 client traffic, L7 client bandwidth, L7 client requests
​​URL path​​
url
The URL path of the client request, excluding query parameters. Data for up to the last 30 days can be queried.
/content or /content/test.jpg
L7 client traffic, L7 client bandwidth, L7 client requests
​​Referer​​
referer
Referer header value of client request, excluding query parameters. Data for up to the last 30 days can be queried.
http://www.example.com/
L7 client traffic, L7 client bandwidth, L7 client requests
Resource type
resourceType
Resource type of client request, i.e. the suffix of requested file. Data for up to the last 30 days can be queried.
 .txt or .jpg
L7 client traffic, L7 client bandwidth, L7 client requests
Device type
deviceType
The device type of client requests, extracted and categorized from User-Agent. Data for up to the last 30 days can be queried.
TV: TV
Tablet: Tablet
Mobile: Mobile phone
Desktop: Computer
Other: Other
L7 client traffic, L7 client bandwidth, L7 client requests
Browser type
browserType
The browser type of client requests, extracted and categorized from User-Agent. Data for up to the last 30 days can be queried.
Firefox: Firefox browser;
Chrome: Chrome browser;
Safari: Safari browser;
Other: Other browser types;
Bot: search engine crawler;
MicrosoftEdge: Microsoft Edge browser;
IE: IE browser;
Opera: Opera browser;
QQBrowser: QQ browser;
LBBrowser: LB browser;
MaxthonBrowser: Maxthon browser;
SouGouBrowser: Sogou browser;
BIDUBrowser: Baidu browser;
TaoBrowser: Tao browser;
UBrowser: UC Browser.
L7 client traffic, L7 client bandwidth, L7 client requests
Client operating system
operatingSystemType
The operating system type used by client requests, extracted and categorized from User-Agent. Data for up to the last 30 days can be queried.
Linux: Linux operating system;
MacOS: MacOS operating system;
Android: Android operating system;
IOS: IOS operating system;
Windows: Windows operating system;
NetBSD:NetBSD;
ChromiumOS:ChromiumOS;
Bot: search engine crawler;
Other: other types of operating systems;
L7 client traffic, L7 client bandwidth, L7 client requests
IP version
ipVersion
IP address version of client requests. Data for up to the last 30 days can be queried.
4:IPv4;
6:IPv6.
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
​​HTTP/HTTPS​​
socket
HTTP protocol type used by client request.
HTTP
HTTPS
L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Cache status
cacheType
Cache status of client request.
hit: The request hits EdgeOne node cache, and resources are provided by node cache. A partial cache hit for resources is also recorded as a hit.
miss: The request does not hit EdgeOne node cache, and resources are provided by the origin server.
dynamic: The requested resources cannot be cached/unconfigured to be cached by the node, and resources are provided by the origin server.
other: Unrecognizable cache status. Requests responded by Edge Functions will be recorded as other.
L7 client traffic, L7 client bandwidth, L7 client requests
Mitigated by EdgeOne Web Security or not
mitigatedByWebSecurity
Indicates whether the request was mitigated by the EdgeOne Web Security module. Any action of "deny" or "challenge" is regarded as mitigated.
yes: Requests that have been blocked or challenged by the EdgeOne Web Security module, excluding requests that did not match any security rules and those whose final action was "Monitor" or "Allow".
no: Requests that, after passing through protection, are ultimately served by EdgeOne or the origin server.
L7 client traffic, L7 client bandwidth, L7 client requests
Client IP
clientIp
Client IP address. Data for up to the last 30 days can be queried. Supports multiple inputs when the operator is equal/not equal.
​​1.1.1.1
L7 client traffic, L7 client bandwidth, L7 client requests, L7 security policy hits
​​User-Agent​​
userAgent
User-Agent header value of client request. Data for up to the last 30 days can be queried.
Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
L7 client traffic, L7 client bandwidth, L7 client requests
Layer 4 proxy forwarding rules
ruleId
Layer 4 proxy instance forwarding rule.
rule-3ddvs7nn3xap
﻿TCP/UDP application relevant metrics﻿
Layer 4 proxy instance
proxyId
Layer 4 proxy instance.
sid-3ddun6tk0l9k
﻿TCP/UDP application relevant metrics﻿
Edge Function name
-
Unique identifier of the EdgeOne Edge Function instance.
test1-zone-3e25s02xxbxe-1257620286
﻿Edge Function relevant metrics﻿
Edge Function execution result
-
Edge Function execution result.
Successed.
Failed.
﻿Edge Function relevant metrics﻿
DNS return code
-
DNS response status code.
NOError: No error, successful response.
NXDomain: Non-existent record.
NotImp: Unrealized, the DNS server does not support the requested query type. For supported query types, see DNS record type introduction.
Refused: Deny execution. The DNS server denies the specified operation due to policy.
DNS resolution count
DNS record
-
DNS record type.
For reference, see Introduction to DNS Record Types.
DNS resolution count
DNS region
-
Continent from which the client request originates.
Asia
Europe
Africa
Oceania
Americas
DNS resolution count
Applied action
-
The action taken on the request by the Web Security rule.
Monitor
L7 security policy hits
Rule ID
-
Web Security rule ID that the request matched.
2186065971
L7 security policy hits
DDoS protection instance
-
DDoS protection instance.
﻿
﻿L3/4 DDoS protection relevant metrics﻿
EdgeOne Shield space
-
EdgeOne Shield space.
﻿
﻿EdgeOne Shield relevant metrics﻿
Web Security Analysis
Supports filtering based on request features, rule features, various detailed Web protection rules, and Bot management policy features. The specific filtering options are described as follows:
Site: EdgeOne site.
Client IP: View only the request data from the specified client IP. Supports entering multiple values separated by carriage returns.
Client IP Region: The client IP comes from the specified country or region.
Client IP (prioritizing XFF header): View only the request data from the specified client IP (prioritizing XFF header). Supports entering multiple values separated by carriage returns.
Client IP Region (prioritizing XFF header): The client IP (prioritizing XFF header) comes from the specified country or region.
User-Agent: The User-Agent header information carried in the client request. Supports entering multiple values separated by carriage returns.
Request URL: The URL in the client request (excluding Host and only including the request path and query parameters). Supports entering multiple values separated by carriage returns.
Hostname: The host of the client request. Supports entering multiple values separated by carriage returns.
Referer: The referer carried in the client request. Supports entering multiple values separated by carriage returns.
Applied Action: The final disposal result of the request by the Web protection module. For details, see Action.The disposition result "Unknown" signifies that no predefined disposal methods have been executed. It serves solely as a fallback classification for data statistical processes and can be disregarded in routine analysis.
Request Path (Path): The URL path of the client request (HTTP request path, excluding Host and query parameters). Supports entering multiple values separated by carriage returns.
Request JA3 Fingerprint: JA3 fingerprint calculated based on the relevant parameters for the TLS handshake request of the client. Only supports the data of the domain names with Bot Management enabled.
Request Method (Method): The HTTP method of the client request.
Request ID: Unique identifier of a request, that is, the Request ID of the default block page, {{ EO_REQ_ID }} of the custom response page, EO-LOG-UUID in the EdgeOne default response header, and RequestID in the L7 access logs.
Rule Category: View only the request data that hits the specified category of Web protection rules.
Rule ID: View only the request data that hits the specified Web protection rule ID.
Relationship Between Multiple Filtering Conditions
The relationship between multiple filtering conditions is "And", and the relationship between multiple values within the same filtering condition is "Or".
For example, adding filtering conditions Country/Region=Singapore; Thailand and Status Code=404 means querying data that meets the access from Singapore or Thailand clients and the edge response status code is 404.
Supported Operators
Operator
Description
Equal
Query data with the filter item equal to any specified value
Does not equal
Query data with the filter item not equal to any specified value
Contain
Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query data with URL containing /example)
Does not contain
Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query data with URL not containing /example)
Starts with
Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with
Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with
Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with
Query data with a field such as URL, Referer, and resource type not ending with a specified string

Supported Filtering Options
- Analytics
- Web Security Analysis
Relationship Between Multiple Filtering Conditions
Supported Operators

Filter Option Name	API Parameter Name	Description	Example Value/Enumeration Value	Applicable to Metric List
Site	`ZoneId`	EdgeOne site.	`zone-3eoo0chifzcs`	All metrics
Content identifier	`ZoneId`	Content identifier. The feature is in beta test. If needed, contact us.	`eocontent-3edho0x9tmea`	L7 client traffic, L7 client bandwidth, L7 client requests
Host	`domain`	Client-requested Host. When the domain is onboarded via a wildcard, the recorded value is the wildcard domain itself, not the specific subdomain.	`www.example.com` or `*.example.com`	Domain services relevant metrics, Edge function relevant metrics
Country/Region	`country`	Country or region from which the client request originates, following the ISO 3166-1 alpha-2 standard.	`CN`	L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Status codes	`statusCode`	HTTP status code returned by EdgeOne to the client. Data for up to the last 30 days can be queried.	`1XX`: 1xx status codes; `2XX`: 2xx status codes; `3XX`: 3xx status codes; `4XX`: 4xx status codes; `5XX`: 5xx status codes; Integers within the range [0,600).	L7 client traffic, L7 client bandwidth, L7 client requests
HTTP protocol	`protocol`	HTTP version used by client request.	`HTTP/1.0` `HTTP/1.1` `HTTP/2.0` `HTTP/3`: HTTP/3.0 (QUIC protocol) `WebSocket`:WebSocket Over HTTP/1.1	L7 client traffic, L7 client bandwidth, L7 client requests
ISP	`isp`	ISP of the client IP. Only available for data from the mainland China service region. Data for up to the last 30 days can be queried.	`2`: CTCC; `26`: CUCC; `1046`: CMCC; `3947`: China Tietong; `38`: China Education Network; `43`: Great Wall Broadband; `0`: Other ISP.	L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Province	`province`	Province of the client IP. Only available for data from the mainland China service region. Data for up to the last 30 days can be queried.	Province codes refer to Mapping Table of Provinces Within the Chinese Mainland, example value: `22`.	L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
TLS version	`tlsVersion`	TLS protocol version used by client request. Data for up to the last 30 days can be queried.	`TLS1.0` `TLS1.1` `TLS1.2` `TLS1.3`	L7 client traffic, L7 client bandwidth, L7 client requests
URL path	`url`	The URL path of the client request, excluding query parameters. Data for up to the last 30 days can be queried.	`/content` or `/content/test.jpg`	L7 client traffic, L7 client bandwidth, L7 client requests
Referer	`referer`	Referer header value of client request, excluding query parameters. Data for up to the last 30 days can be queried.	`http://www.example.com/`	L7 client traffic, L7 client bandwidth, L7 client requests
Resource type	`resourceType`	Resource type of client request, i.e. the suffix of requested file. Data for up to the last 30 days can be queried.	`.txt` or `.jpg`	L7 client traffic, L7 client bandwidth, L7 client requests
Device type	`deviceType`	The device type of client requests, extracted and categorized from `User-Agent`. Data for up to the last 30 days can be queried.	`TV`: TV `Tablet`: Tablet `Mobile`: Mobile phone `Desktop`: Computer `Other`: Other	L7 client traffic, L7 client bandwidth, L7 client requests
Browser type	`browserType`	The browser type of client requests, extracted and categorized from `User-Agent`. Data for up to the last 30 days can be queried.	`Firefox`: Firefox browser; `Chrome`: Chrome browser; `Safari`: Safari browser; `Other`: Other browser types; `Bot`: search engine crawler; `MicrosoftEdge`: Microsoft Edge browser; `IE`: IE browser; `Opera`: Opera browser; `QQBrowser`: QQ browser; `LBBrowser`: LB browser; `MaxthonBrowser`: Maxthon browser; `SouGouBrowser`: Sogou browser; `BIDUBrowser`: Baidu browser; `TaoBrowser`: Tao browser; `UBrowser`: UC Browser.	L7 client traffic, L7 client bandwidth, L7 client requests
Client operating system	`operatingSystemType`	The operating system type used by client requests, extracted and categorized from `User-Agent`. Data for up to the last 30 days can be queried.	`Linux`: Linux operating system; `MacOS`: MacOS operating system; `Android`: Android operating system; `IOS`: IOS operating system; `Windows`: Windows operating system; `NetBSD`:NetBSD; `ChromiumOS`:ChromiumOS; `Bot`: search engine crawler; `Other`: other types of operating systems;	L7 client traffic, L7 client bandwidth, L7 client requests
IP version	`ipVersion`	IP address version of client requests. Data for up to the last 30 days can be queried.	`4`:IPv4; `6`:IPv6.	L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
HTTP/HTTPS	`socket`	HTTP protocol type used by client request.	`HTTP` `HTTPS`	L7 client traffic, L7 client bandwidth, L7 client requests, L7 response time
Cache status	`cacheType`	Cache status of client request.	`hit`: The request hits EdgeOne node cache, and resources are provided by node cache. A partial cache hit for resources is also recorded as a hit. `miss`: The request does not hit EdgeOne node cache, and resources are provided by the origin server. `dynamic`: The requested resources cannot be cached/unconfigured to be cached by the node, and resources are provided by the origin server. `other`: Unrecognizable cache status. Requests responded by Edge Functions will be recorded as other.	L7 client traffic, L7 client bandwidth, L7 client requests
Mitigated by EdgeOne Web Security or not	`mitigatedByWebSecurity`	Indicates whether the request was mitigated by the EdgeOne Web Security module. Any action of "deny" or "challenge" is regarded as mitigated.	`yes`: Requests that have been blocked or challenged by the EdgeOne Web Security module, excluding requests that did not match any security rules and those whose final action was "Monitor" or "Allow". `no`: Requests that, after passing through protection, are ultimately served by EdgeOne or the origin server.	L7 client traffic, L7 client bandwidth, L7 client requests
Client IP	`clientIp`	Client IP address. Data for up to the last 30 days can be queried. Supports multiple inputs when the operator is equal/not equal.	`1.1.1.1`	L7 client traffic, L7 client bandwidth, L7 client requests, L7 security policy hits
User-Agent	`userAgent`	User-Agent header value of client request. Data for up to the last 30 days can be queried.	`Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15`	L7 client traffic, L7 client bandwidth, L7 client requests
Layer 4 proxy forwarding rules	`ruleId`	Layer 4 proxy instance forwarding rule.	`rule-3ddvs7nn3xap`	TCP/UDP application relevant metrics
Layer 4 proxy instance	`proxyId`	Layer 4 proxy instance.	`sid-3ddun6tk0l9k`	TCP/UDP application relevant metrics
Edge Function name	-	Unique identifier of the EdgeOne Edge Function instance.	`test1-zone-3e25s02xxbxe-1257620286`	Edge Function relevant metrics
Edge Function execution result	-	Edge Function execution result.	Successed. Failed.	Edge Function relevant metrics
DNS return code	-	DNS response status code.	`NOError`: No error, successful response. `NXDomain`: Non-existent record. `NotImp`: Unrealized, the DNS server does not support the requested query type. For supported query types, see DNS record type introduction. `Refused`: Deny execution. The DNS server denies the specified operation due to policy.	DNS resolution count
DNS record	-	DNS record type.	For reference, see Introduction to DNS Record Types.	DNS resolution count
DNS region	-	Continent from which the client request originates.	Asia Europe Africa Oceania Americas	DNS resolution count
Applied action	-	The action taken on the request by the Web Security rule.	Monitor	L7 security policy hits
Rule ID	-	Web Security rule ID that the request matched.	`2186065971`	L7 security policy hits
DDoS protection instance	-	DDoS protection instance.		L3/4 DDoS protection relevant metrics
EdgeOne Shield space	-	EdgeOne Shield space.		EdgeOne Shield relevant metrics

Operator	Description
Equal	Query data with the filter item equal to any specified value
Does not equal	Query data with the filter item not equal to any specified value
Contain	Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query `data with URL containing /example`)
Does not contain	Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query `data with URL not containing /example`)
Starts with	Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with	Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with	Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with	Query data with a field such as URL, Referer, and resource type not ending with a specified string