Observability

Log Service
- Overview
- Real-time Logs
  - Real-time Logs Overview
  - Push to Tencent Cloud CLS
  - Push to AWS S3-Compatible COS
  - Push to HTTP Server
- Offline Logs
- Related References
  - Field description
    - L7 Access Logs
    - L4 Proxy Logs
    - Edge Function Running Logs
  - Real-Time Log Push Filter Conditions
  - Custom Log Push Fields
  - Customizing Log Output Formats
Data Analysis
- Overview
- Analytics
- Web Security Analysis
- Traffic Analysis
- Cache Analysis
- Security Analysis
  - Site Security Overview
  - Web Security Analysis
- L4 Proxy
- DNS Resolution
- Related References
  - Sampling Statistics
  - How to use filter condition
  - How to Modify Query Time Range
  - How to Export Statistical Data and Reports
AlarmService
- Custom Statistical Metrics

How to use filter condition

EdgeOne data analysis supports two types of filtering conditions:
1. Time filtering condition (required): View the data within the selected time range, for details, please refer to How to modify the query time range.
2. Other filtering conditions: Customize the data filtering according to the filtering options supported by each page. The following is a detailed explanation of this part.
Supported Filtering Options
Metric Analysis
Filter Option Name
API Parameter Name
Description
Example Value/Enumeration Value
Applicable to Metric List
Site
ZoneId
EdgeOne site
zone-3eoo0chifzcs
All Metrics
Content identifier
ZoneId
﻿Content identifier. The feature is in beta test. If needed, contact us.
eocontent-3edho0x9tmea
L7 access traffic, L7 access bandwidth, L7 access request count
​​Host​​
domain
The Host in client requests. If EdgeOne is accessed via a wildcard domain name, the data will show the wildcard domain rather than a specific domain.
www.example.com or *.example.com
﻿Domain services relevant metrics, Edge function relevant metrics﻿
Country/Region
country
Country/Region of client request origin. Country/Region follows the ISO 3166-1 alpha-2 standard.
CN
L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
Status Codes
statusCode
EdgeOne response status code to client. Queryable data for up to 30 days.
1XX: 1xx status codes;
2XX: 2xx status codes;
3XX: 3xx status codes;
4XX: 4xx status codes;
5XX: 5xx status codes;
Integers within the range [0,600).
L7 access traffic, L7 access bandwidth, L7 access request count
HTTP protocol
protocol
HTTP version used by client request.
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3: HTTP/3.0 (QUIC protocol)
WebSocket:WebSocket Over HTTP/1.1
L7 access traffic, L7 access bandwidth, L7 access request count
carrier
isp
The operator of the client request source is only supported for site data in Chinese mainland availability zones. You can query data for up to the last 30 days.
2: CTCC;
26: CUCC;
1046: CMCC;
3947: China Tietong;
38: China Education Network;
43: Great Wall Broadband;
0: Other ISP.
L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
Province
province
The province of client request origin is only supported for site data in Chinese mainland AZs. You can query data for up to the last 30 days.
Province codes reference Mapping Table of Provinces Within the Chinese Mainland, example value: 22.
L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
TLS version
tlsVersion
TLS protocol version used by client request. Queryable for up to 30 days of data.
TLS1.0
TLS1.1
TLS1.2
TLS1.3
L7 access traffic, L7 access bandwidth, L7 access request count
​​URL Path​​
url
URL path of client request, excluding query parameters. Queryable for up to 30 days of data.
/content or /content/test.jpg
L7 access traffic, L7 access bandwidth, L7 access request count
​​Referer​​
referer
Referer header value of client request, excluding query parameters. Queryable for up to 30 days of data.
http://www.example.com/
L7 access traffic, L7 access bandwidth, L7 access request count
Resource Type
resourceType
Resource type of client request, i.e. the suffix of requested file. Queryable for up to 30 days of data.
 .txt or .jpg
L7 access traffic, L7 access bandwidth, L7 access request count
Device Type
deviceType
The device type of client requests, extracted and categorized from User-Agent. Data from the last 30 days is queryable.
TV: TV
Tablet: Tablet
Mobile: Mobile phone
Desktop: Computer
Other: Other
L7 access traffic, L7 access bandwidth, L7 access request count
browser type
browserType
The browser type used by client requests, extracted and categorized from User-Agent. Data from the last 30 days is queryable.
Firefox: Firefox browser;
Chrome: Chrome browser;
Safari: Safari browser;
Other: Other browser types;
Bot: search engine crawler;
MicrosoftEdge: Microsoft Edge browser;
IE: IE browser;
Opera: Opera browser;
QQBrowser: QQ Browser;
LBBrowser: LB browser;
MaxthonBrowser: Maxthon browser;
SouGouBrowser: Sogou Browser;
BIDUBrowser: Baidu Browser;
TaoBrowser: taobrowser;
UBrowser: UC Browser.
L7 access traffic, L7 access bandwidth, L7 access request count
client operating system
operatingSystemType
The operating system type used by client requests, extracted and categorized from User-Agent. Data from the last 30 days is queryable.
Linux: Linux operating system;
MacOS: MacOS operating system;
Android: Android operating system;
IOS: IOS operating system;
Windows: Windows operating system;
NetBSD:NetBSD;
ChromiumOS:ChromiumOS;
Bot: search engine crawler;
Other: other types of operating systems;
L7 access traffic, L7 access bandwidth, L7 access request count
IP version
ipVersion
IP address version used by client request. Queryable for up to 30 days of data.
4:IPv4;
6:IPv6.
L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
​​HTTP/HTTPS​​
socket
HTTP protocol type used by client request.
HTTP
HTTPS
L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
cache status
cacheType
Cache status of client request.
hit: The request hits EdgeOne node cache, and resources are provided by node cache. A partial cache hit for resources is also recorded as a hit.
miss: The request does not hit EdgeOne node cache, and resources are provided by the origin server.
dynamic: The requested resources cannot be cached/unconfigured to be cached by the node, and resources are provided by the origin server.
other: Unrecognizable cache status. Requests responded to by edge functions will be recorded as other.
L7 access traffic, L7 access bandwidth, L7 access request count
Whether transit through the Web protection module is required or not
mitigatedByWebSecurity
Whether the identification request is handled by the EdgeOne Web Protection module. Interception or challenge actions are deemed as handled.
yes: Requests intercepted or challenged by the EdgeOne Web Protection module, excluding requests that miss security rules or have final handling results of observation or pass.
no: Requests responded by EdgeOne or the origin server post-protection.
L7 access traffic, L7 access bandwidth, L7 access request count
client IP
clientIp
client IP address. Queryable for up to 30 days of data. Supports multiple inputs when the operator is equal/not equal.
​​1.1.1.1
L7 access traffic, L7 access bandwidth, L7 access request count, L7 protection number of hits
​​User-Agent​​
userAgent
User-Agent header value of client request. Queryable for up to 30 days of data.
Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
L7 access traffic, L7 access bandwidth, L7 access request count
Layer 4 Proxy Forwarding Rules
ruleId
Layer 4 proxy instance forwarding rule.
rule-3ddvs7nn3xap
﻿TCP/UDP application business relevant metrics﻿
Layer 4 proxy instance
proxyId
Layer 4 proxy instance
sid-3ddun6tk0l9k
﻿TCP/UDP application business relevant metrics﻿
edge function name
-
Unique identifier of the EdgeOne edge function instance.
test1-zone-3e25s02xxbxe-1257620286
﻿Edge function relevant metrics﻿
edge function execution result
-
edge function execution result.
Successful.
Failed.
﻿Edge function relevant metrics﻿
DNS return code
-
DNS response status code.
NOError: No error, successful response.
NXDomain: Non-existent record.
NotImp: Unrealized, the DNS server does not support the requested query type. For supported query types, see DNS record type introduction.
Refused: Deny execution. The DNS server denies the specified operation due to policy.
DNS resolution count
DNS record
-
DNS record type
For reference, see Introduction to DNS Record Types.
DNS resolution count
DNS region
-
Continent of client request origin.
Asia
Europe
Africa
Oceania
Americas
DNS resolution count
Applied Action
-
Web protection rules handle requests via.
Observe
Number of L7 protection hits
Rule ID
-
Request hits the Web Protection Rule ID.
2186065971
Number of L7 protection hits
Anti-DDoS instance
-
Anti-DDoS instance
﻿
﻿L3/4 DDoS protection relevant metrics﻿
EdgeOne Shield Space
-
EdgeOne Shield Space.
﻿
﻿EdgeOne Shield relevant metrics﻿
Web Security Analysis
Supports filtering based on request features, rule features, various detailed Web protection rules, and Bot management policy features. The specific filtering options are described as follows:
Site: EdgeOne site.
Client IP: View only the request data from the specified client IP. Supports entering multiple values separated by carriage returns.
Client IP Region: The client IP comes from the specified country or region.
Client IP (prioritizing XFF header): View only the request data from the specified client IP (prioritizing XFF header). Supports entering multiple values separated by carriage returns.
Client IP Region (prioritizing XFF header): The client IP (prioritizing XFF header) comes from the specified country or region.
User-Agent: The User-Agent header information carried in the client request. Supports entering multiple values separated by carriage returns.
Request URL: The URL in the client request (excluding Host and only including the request path and query parameters). Supports entering multiple values separated by carriage returns.
Hostname: The host of the client request. Supports entering multiple values separated by carriage returns.
Referer: The referer carried in the client request. Supports entering multiple values separated by carriage returns.
Applied Action: The final disposal result of the request by the Web protection module. For details, see Action.The disposition result "Unknown" signifies that no predefined disposal methods have been executed. It serves solely as a fallback classification for data statistical processes and can be disregarded in routine analysis.
Request Path (Path): The URL path of the client request (HTTP request path, excluding Host and query parameters). Supports entering multiple values separated by carriage returns.
Request JA3 Fingerprint: JA3 fingerprint calculated based on the relevant parameters for the TLS handshake request of the client. Only supports the data of the domain names with Bot Management enabled.
Request Method (Method): The HTTP method of the client request.
Request ID: Unique identifier of a request, that is, the Request ID of the default block page, {{ EO_REQ_ID }} of the custom response page, EO-LOG-UUID in the EdgeOne default response header, and RequestID in the L7 access logs.
Rule Category: View only the request data that hits the specified category of Web protection rules.
Rule ID: View only the request data that hits the specified Web protection rule ID.
Relationship Between Multiple Filtering Conditions
The relationship between multiple filtering conditions is "And", and the relationship between multiple values within the same filtering condition is "Or".
For example, adding filtering conditions Country/Region=Singapore; Thailand and Status Code=404 means querying data that meets the access from Singapore or Thailand clients and the edge response status code is 404.
Supported Operators
Operator
Description
Equal
Query data with the filter item equal to any specified value
Does not equal
Query data with the filter item not equal to any specified value
Contain
Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query data with URL containing /example)
Does not contain
Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query data with URL not containing /example)
Starts with
Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with
Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with
Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with
Query data with a field such as URL, Referer, and resource type not ending with a specified string

Supported Filtering Options
- Metric Analysis
- Web Security Analysis
Relationship Between Multiple Filtering Conditions
Supported Operators

Filter Option Name	API Parameter Name	Description	Example Value/Enumeration Value	Applicable to Metric List
Site	`ZoneId`	EdgeOne site	`zone-3eoo0chifzcs`	All Metrics
Content identifier	`ZoneId`	Content identifier. The feature is in beta test. If needed, contact us.	`eocontent-3edho0x9tmea`	L7 access traffic, L7 access bandwidth, L7 access request count
Host	`domain`	The Host in client requests. If EdgeOne is accessed via a wildcard domain name, the data will show the wildcard domain rather than a specific domain.	`www.example.com` or `*.example.com`	Domain services relevant metrics, Edge function relevant metrics
Country/Region	`country`	Country/Region of client request origin. Country/Region follows the ISO 3166-1 alpha-2 standard.	`CN`	L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
Status Codes	`statusCode`	EdgeOne response status code to client. Queryable data for up to 30 days.	`1XX`: 1xx status codes; `2XX`: 2xx status codes; `3XX`: 3xx status codes; `4XX`: 4xx status codes; `5XX`: 5xx status codes; Integers within the range [0,600).	L7 access traffic, L7 access bandwidth, L7 access request count
HTTP protocol	`protocol`	HTTP version used by client request.	`HTTP/1.0` `HTTP/1.1` `HTTP/2.0` `HTTP/3`: HTTP/3.0 (QUIC protocol) `WebSocket`:WebSocket Over HTTP/1.1	L7 access traffic, L7 access bandwidth, L7 access request count
carrier	`isp`	The operator of the client request source is only supported for site data in Chinese mainland availability zones. You can query data for up to the last 30 days.	`2`: CTCC; `26`: CUCC; `1046`: CMCC; `3947`: China Tietong; `38`: China Education Network; `43`: Great Wall Broadband; `0`: Other ISP.	L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
Province	`province`	The province of client request origin is only supported for site data in Chinese mainland AZs. You can query data for up to the last 30 days.	Province codes reference Mapping Table of Provinces Within the Chinese Mainland, example value: `22`.	L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
TLS version	`tlsVersion`	TLS protocol version used by client request. Queryable for up to 30 days of data.	`TLS1.0` `TLS1.1` `TLS1.2` `TLS1.3`	L7 access traffic, L7 access bandwidth, L7 access request count
URL Path	`url`	URL path of client request, excluding query parameters. Queryable for up to 30 days of data.	`/content` or `/content/test.jpg`	L7 access traffic, L7 access bandwidth, L7 access request count
Referer	`referer`	Referer header value of client request, excluding query parameters. Queryable for up to 30 days of data.	`http://www.example.com/`	L7 access traffic, L7 access bandwidth, L7 access request count
Resource Type	`resourceType`	Resource type of client request, i.e. the suffix of requested file. Queryable for up to 30 days of data.	`.txt` or `.jpg`	L7 access traffic, L7 access bandwidth, L7 access request count
Device Type	`deviceType`	The device type of client requests, extracted and categorized from `User-Agent`. Data from the last 30 days is queryable.	`TV`: TV `Tablet`: Tablet `Mobile`: Mobile phone `Desktop`: Computer `Other`: Other	L7 access traffic, L7 access bandwidth, L7 access request count
browser type	`browserType`	The browser type used by client requests, extracted and categorized from `User-Agent`. Data from the last 30 days is queryable.	`Firefox`: Firefox browser; `Chrome`: Chrome browser; `Safari`: Safari browser; `Other`: Other browser types; `Bot`: search engine crawler; `MicrosoftEdge`: Microsoft Edge browser; `IE`: IE browser; `Opera`: Opera browser; `QQBrowser`: QQ Browser; `LBBrowser`: LB browser; `MaxthonBrowser`: Maxthon browser; `SouGouBrowser`: Sogou Browser; `BIDUBrowser`: Baidu Browser; `TaoBrowser`: taobrowser; `UBrowser`: UC Browser.	L7 access traffic, L7 access bandwidth, L7 access request count
client operating system	`operatingSystemType`	The operating system type used by client requests, extracted and categorized from `User-Agent`. Data from the last 30 days is queryable.	`Linux`: Linux operating system; `MacOS`: MacOS operating system; `Android`: Android operating system; `IOS`: IOS operating system; `Windows`: Windows operating system; `NetBSD`:NetBSD; `ChromiumOS`:ChromiumOS; `Bot`: search engine crawler; `Other`: other types of operating systems;	L7 access traffic, L7 access bandwidth, L7 access request count
IP version	`ipVersion`	IP address version used by client request. Queryable for up to 30 days of data.	`4`:IPv4; `6`:IPv6.	L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
HTTP/HTTPS	`socket`	HTTP protocol type used by client request.	`HTTP` `HTTPS`	L7 access traffic, L7 access bandwidth, L7 access request count, L7 response time
cache status	`cacheType`	Cache status of client request.	`hit`: The request hits EdgeOne node cache, and resources are provided by node cache. A partial cache hit for resources is also recorded as a hit. `miss`: The request does not hit EdgeOne node cache, and resources are provided by the origin server. `dynamic`: The requested resources cannot be cached/unconfigured to be cached by the node, and resources are provided by the origin server. `other`: Unrecognizable cache status. Requests responded to by edge functions will be recorded as other.	L7 access traffic, L7 access bandwidth, L7 access request count
Whether transit through the Web protection module is required or not	`mitigatedByWebSecurity`	Whether the identification request is handled by the EdgeOne Web Protection module. Interception or challenge actions are deemed as handled.	`yes`: Requests intercepted or challenged by the EdgeOne Web Protection module, excluding requests that miss security rules or have final handling results of observation or pass. `no`: Requests responded by EdgeOne or the origin server post-protection.	L7 access traffic, L7 access bandwidth, L7 access request count
client IP	`clientIp`	client IP address. Queryable for up to 30 days of data. Supports multiple inputs when the operator is equal/not equal.	`1.1.1.1`	L7 access traffic, L7 access bandwidth, L7 access request count, L7 protection number of hits
User-Agent	`userAgent`	User-Agent header value of client request. Queryable for up to 30 days of data.	`Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15`	L7 access traffic, L7 access bandwidth, L7 access request count
Layer 4 Proxy Forwarding Rules	`ruleId`	Layer 4 proxy instance forwarding rule.	`rule-3ddvs7nn3xap`	TCP/UDP application business relevant metrics
Layer 4 proxy instance	`proxyId`	Layer 4 proxy instance	`sid-3ddun6tk0l9k`	TCP/UDP application business relevant metrics
edge function name	-	Unique identifier of the EdgeOne edge function instance.	`test1-zone-3e25s02xxbxe-1257620286`	Edge function relevant metrics
edge function execution result	-	edge function execution result.	Successful. Failed.	Edge function relevant metrics
DNS return code	-	DNS response status code.	`NOError`: No error, successful response. `NXDomain`: Non-existent record. `NotImp`: Unrealized, the DNS server does not support the requested query type. For supported query types, see DNS record type introduction. `Refused`: Deny execution. The DNS server denies the specified operation due to policy.	DNS resolution count
DNS record	-	DNS record type	For reference, see Introduction to DNS Record Types.	DNS resolution count
DNS region	-	Continent of client request origin.	Asia Europe Africa Oceania Americas	DNS resolution count
Applied Action	-	Web protection rules handle requests via.	Observe	Number of L7 protection hits
Rule ID	-	Request hits the Web Protection Rule ID.	`2186065971`	Number of L7 protection hits
Anti-DDoS instance	-	Anti-DDoS instance		L3/4 DDoS protection relevant metrics
EdgeOne Shield Space	-	EdgeOne Shield Space.		EdgeOne Shield relevant metrics

Operator	Description
Equal	Query data with the filter item equal to any specified value
Does not equal	Query data with the filter item not equal to any specified value
Contain	Query data with a field such as URL, Referer, and resource type containing a specified string (for example, query `data with URL containing /example`)
Does not contain	Query data with a field such as URL, Referer, and resource type not containing a specified string (for example, query `data with URL not containing /example`)
Starts with	Query data with a field such as URL, Referer, and resource type starting with a specified string
Does not start with	Query data with a field such as URL, Referer, and resource type not starting with a specified string
Ends with	Query data with a field such as URL, Referer, and resource type ending with a specified string
Does not end with	Query data with a field such as URL, Referer, and resource type not ending with a specified string