Observability

Log Service
- Overview
- Real-time Logs
  - Real-time Logs Overview
  - Push to Tencent Cloud CLS
  - Push to AWS S3-Compatible COS
  - Push to HTTP Server
- Offline Logs
- Related References
  - Field description
    - L7 Access Logs
    - L4 Proxy Logs
    - Edge Function Running Logs
  - Real-Time Log Push Filter Conditions
  - Custom Log Push Fields
  - Customizing Log Output Formats
Data Analysis
- Overview
- Analytics
- Web Security Analysis
- Traffic Analysis
- Cache Analysis
- Security Analysis
  - Site Security Overview
  - Web Security Analysis
- L4 Proxy
- DNS Resolution
- Related References
  - Sampling Statistics
  - How to use filter condition
  - How to Modify Query Time Range
  - How to Export Statistical Data and Reports
AlarmService
- Custom Statistical Metrics

How to use filter condition

The filtering criteria supported by EdgeOne data analytics are categorized into two types:
1. Time filter (required): View data within the selected time range. For details, see How to Modify Query Time Range.
2. Other filter criteria: Customize the data you need based on the filter options supported by each page. The following section provides a detailed explanation of this part.
Supported filter options
Metric Analysis
Filter Option Name
API parameter name
Description
Example value/Enum value
Can be used for metrics list
Site
ZoneId
EdgeOne site.
zone-3eoo0chifzcs
All metrics
content identifier
ZoneId
Content identifier. This feature is currently in beta. If you need to use it, please contact us.
eocontent-3edho0x9tmea
L7 traffic, L7 bandwidth, L7 requests
​​Host​​
domain
The Host in client requests. If accessing EdgeOne via a wildcard domain, the data will record the wildcard domain rather than the specific domain.
www.example.com or *.example.com
Domain Service Metrics, Edge Function Metrics
Country/Region
country
The country or region of the source of client requests. Country/Region follows the ISO 3166-1 alpha-2 standard.
CN
L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time, TCP/UDP Application Metrics
status code
statusCode
The status code returned by EdgeOne to clients. Data from the last 30 days can be queried.
1XX: 1xx status codes.
2XX: 2xx status codes.
3XX: 3xx status codes.
4XX: 4xx status codes.
5XX: 5xx status codes;
An integer in the range [0,600).
L7 traffic, L7 bandwidth, L7 requests
HTTP Protocol
protocol
The HTTP version used by client requests.
HTTP/1.0
HTTP/1.1
HTTP/2.0
HTTP/3: HTTP/3.0 (QUIC protocol)
WebSocket:WebSocket Over HTTP/1.1
L7 traffic, L7 bandwidth, L7 requests
Carrier
isp
The carrier of the client request source. Only supports site data from AZs in the Chinese mainland. Data from the last 30 days can be queried.
2: China Telecom;
26: China Unicom;
1046: China Mobile;
3947: China Tietong;
38: Education Network;
43: Great Wall Broadband;
0: Other carriers.
L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
Province
province
The province of the client request source. Only supports site data from AZs in the Chinese mainland. Data from the last 30 days can be queried.
Province codes refer to the province mapping table for mainland China, example value: 22.
L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
TLS version
tlsVersion
The TLS protocol version used by client requests. Data from the last 30 days can be queried.
TLS1.0
TLS1.1
TLS1.2
TLS1.3
L7 traffic, L7 bandwidth, L7 requests
​​URL Path​​
url
The URL path (path) of client requests, excluding query parameters. Data from the last 30 days can be queried.
/content or /content/test.jpg
L7 traffic, L7 bandwidth, L7 requests
​​Referer​​
referer
The Referer header value of client requests, excluding query parameters. Data from the last 30 days can be queried.
http://www.example.com/
L7 traffic, L7 bandwidth, L7 requests
Resource type
resourceType
The resource type of client requests, that is, the file extension of the requested resources. Data from the last 30 days can be queried.
 .txt or .jpg
L7 traffic, L7 bandwidth, L7 requests
Device type
deviceType
The device type of client requests, extracted from the User-Agent header. Data from the last 30 days can be queried.
TV: Television
Tablet: Tablet computer
Mobile: Mobile phone
Desktop: Computer
Other: Other
L7 traffic, L7 bandwidth, L7 requests
Browser type
browserType
The browser type used in client requests, extracted and categorized from the User-Agent header. Data from the last 30 days can be queried.
Firefox: Firefox browser;
Chrome: Chrome browser;
Safari: Safari browser;
Other: Other browser types;
Bot: Search engine crawler;
MicrosoftEdge: MicrosoftEdge browser;
IE: IE browser;
Opera: Opera browser;
QQBrowser: QQBrowser;
LBBrowser: LBBrowser;
MaxthonBrowser: Maxthon browser;
SouGouBrowser: Sogou browser;
BIDUBrowser: Baidu Browser;
TaoBrowser: Tao Browser;
UBrowser: UC Browser.
L7 traffic, L7 bandwidth, L7 requests
Client Operating System
operatingSystemType
The operating system type used in client requests, extracted and categorized from the User-Agent header. Data from the last 30 days can be queried.
Linux: Linux operating system;
MacOS: macOS operating system;
Android: Android operating system;
IOS: IOS operating system;
Windows: Windows operating system;
NetBSD:NetBSD;
ChromiumOS:ChromiumOS;
Bot: Search engine crawler;
Other: Other operating systems;
L7 traffic, L7 bandwidth, L7 requests
IP version
ipVersion
The IP address version used by client requests. Data from the last 30 days can be queried.
4:IPv4;
6:IPv6.
L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
​​HTTP/HTTPS​​
socket
The HTTP protocol type used by client requests.
HTTP
HTTPS
L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
Cache status
cacheType
Cache status of client requests.
hit: The request hits the EdgeOne node cache, and resources are served from the node cache. Partial cache hits are also recorded as hit.
miss: The request misses the EdgeOne node cache, and resources are provided by the origin server.
dynamic: The requested resources cannot be cached/are not configured to be cached at the node, and resources are provided by the origin server.
other: Unrecognized cache status. Requests responded to by edge functions are recorded as other.
L7 traffic, L7 bandwidth, L7 requests
Whether the request has been mitigated by the Web Protection Module
mitigatedByWebSecurity
Indicates whether the request has been mitigated by the EdgeOne Web Protection Module. Intercept or challenge actions are considered mitigated.
yes: Requests intercepted or challenged by the EdgeOne Web Protection Module. Excludes requests that didn't trigger security rules and requests with final actions of Observe or Allow.
no: Requests responded by EdgeOne or the origin server after passing through protection.
L7 traffic, L7 bandwidth, L7 requests
Client IP address
clientIp
Client IP address. Data from the last 30 days can be queried. When the operator is equals/does not equal, multiple values are supported.
​​1.1.1.1
L7 traffic, L7 bandwidth, L7 requests, L7 protection hits
​​User-Agent​​
userAgent
The User-Agent header value of client requests. Data from the last 30 days can be queried.
Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
L7 traffic, L7 bandwidth, L7 requests
Layer 4 proxy forwarding rules
ruleId
Specific forwarding rules for L4 proxy instances.
rule-3ddvs7nn3xap
TCP/UDP Application Metrics
L4 proxy instance
proxyId
L4 proxy instance.
sid-3ddun6tk0l9k
TCP/UDP Application Metrics
Edge function name
-
The unique identifier of an EdgeOne edge function instance.
test1-zone-3e25s02xxbxe-1257620286
Edge Function Metrics
Edge Function Execution Result
-
Edge function execution result.
Successful.
Failed.
Edge Function Metrics
DNS Response Code
-
DNS resolution response status code.
NOError: no error, successful response.
NXDomain: non-existent record.
NotImp: Not implemented, DNS server does not support the requested query type; for implemented query types, refer to Record Type Introduction.
Refused: Refused, the DNS server declined to perform the specified operation due to policy.
number of DNS resolutions
DNS record
-
DNS record type.
Refer to Record Type Introduction.
DNS resolution number
DNS region
-
Continent of client request source.
Asia
Europe
Africa
Oceania
America
number of DNS resolutions
Request disposition result
-
Web protection rules request disposition method.
Observation
L7 protection hit count
Rule ID
-
Request hits Web protection rule ID.
2186065971
L7 protection number of hits
Anti-DDoS instance
-
Anti-DDoS instance.
﻿
L3/4 DDoS Attack Protection Related Metrics
EdgeOne Shield space
-
EdgeOne Shield space.
﻿
EdgeOne Shield Related Metrics
Web Security Analysis
Supported filtering based on request features, rule characteristics, and various detailed Web protection rules and Bot management policy features. The specific filter options are described as follows:
Site: EdgeOne site.
Client IP: View request data only from specified client IP addresses. Multiple values are supported, separated by line breaks.
Client IP Region: Client IP address originating from specified countries or regions.
Client IP (preferentially match XFF header): Only view request data from specified client IP addresses (preferentially match XFF header). Multiple values are supported, separated by line breaks.
Client IP Region (preferentially match XFF header): Client IP address (preferentially match XFF header) originating from specified countries or regions.
User-Agent: The User-Agent header information carried in client requests. Multiple values are supported, separated by line breaks.
Request URL: The URL of the client request (excluding the Host, only including the request path and query parameters). Multiple values are supported, separated by line breaks.
Domain name host: The Host of the client request. Multiple values are supported, separated by line breaks.
Source Referer: The Referer carried in client requests. Multiple values are supported, separated by line breaks.
Disposition Result: The final disposition result of the request by the Web Protection module. For detailed descriptions, see Disposition Methods. The "Unknown" disposition result indicates that no other defined disposition method was executed, serving only as a fallback category for data statistics. This option can be ignored in routine analysis.
Request Path (Path): The URL Path of the client request (HTTP request path, excluding Host and query parameters). Multiple values are supported, separated by line breaks.
Request JA3 Fingerprint: The JA3 fingerprint calculated based on parameters from the client's TLS handshake. Only supports domain data with Bot Management enabled.
Request JA4 Fingerprint: The JA4 fingerprint calculated based on parameters from the client's TLS handshake. Only supports domain data with Bot Management enabled.
Request Method (Method): The HTTP Method of the client request.
Request ID: Used to uniquely identify a request, corresponding to the Request ID on the default interception page, {{ EO_REQ_ID }} in custom response pages, EO-LOG-UUID in EdgeOne default response headers, and RequestID in Layer 7 access logs.
Rule Category: Only view request data that triggers specified categories of Web protection rules.
Rule ID: Only view request data that triggers specified Web protection rule IDs.
Relationship between multiple filter criteria
The relationship between multiple filter conditions is an "and" relationship, while the relationship between multiple values within the same filter condition is an "or" relationship.
For example: Adding both filter conditions Country/Region=Singapore,Thailand and Status Code=404 means querying data that satisfies access from clients in Singapore or Thailand and edge response status code 404.
Supported Operators
Operator
Description
Equal to
Data where the filter item equals any specified value.
Not equal to
Data where the filter item is not equal to any specified value.
Include
Query data where fields such as URL, Referer, or Resource Type contain specified strings (for example: query URL containing /example data).
Not included
Query data where fields such as URL, Referer, or Resource Type do not contain specified strings (for example: query data where URL does not contain /example).
Starts with
Query data where fields such as URL, Referer, or Resource Type prefix match specified strings.
Does not start with
Query data where fields such as URL, Referer, or Resource Type do not prefix match specified strings.
Ends with
Query data where fields such as URL, Referer, or Resource Type suffix match specified strings.
Does not end with
Query data where fields such as URL, Referer, or Resource Type do not suffix match specified strings.
﻿
﻿

Supported filter options
- Metric Analysis
- Web Security Analysis
Relationship between multiple filter criteria
Supported Operators

Filter Option Name	API parameter name	Description	Example value/Enum value	Can be used for metrics list
Site	`ZoneId`	EdgeOne site.	`zone-3eoo0chifzcs`	All metrics
content identifier	`ZoneId`	Content identifier. This feature is currently in beta. If you need to use it, please contact us.	`eocontent-3edho0x9tmea`	L7 traffic, L7 bandwidth, L7 requests
Host	`domain`	The Host in client requests. If accessing EdgeOne via a wildcard domain, the data will record the wildcard domain rather than the specific domain.	`www.example.com` or `*.example.com`	Domain Service Metrics, Edge Function Metrics
Country/Region	`country`	The country or region of the source of client requests. Country/Region follows the ISO 3166-1 alpha-2 standard.	`CN`	L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time, TCP/UDP Application Metrics
status code	`statusCode`	The status code returned by EdgeOne to clients. Data from the last 30 days can be queried.	`1XX`: 1xx status codes. `2XX`: 2xx status codes. `3XX`: 3xx status codes. `4XX`: 4xx status codes. `5XX`: 5xx status codes; An integer in the range [0,600).	L7 traffic, L7 bandwidth, L7 requests
HTTP Protocol	`protocol`	The HTTP version used by client requests.	`HTTP/1.0` `HTTP/1.1` `HTTP/2.0` `HTTP/3`: HTTP/3.0 (QUIC protocol) `WebSocket`:WebSocket Over HTTP/1.1	L7 traffic, L7 bandwidth, L7 requests
Carrier	`isp`	The carrier of the client request source. Only supports site data from AZs in the Chinese mainland. Data from the last 30 days can be queried.	`2`: China Telecom; `26`: China Unicom; `1046`: China Mobile; `3947`: China Tietong; `38`: Education Network; `43`: Great Wall Broadband; `0`: Other carriers.	L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
Province	`province`	The province of the client request source. Only supports site data from AZs in the Chinese mainland. Data from the last 30 days can be queried.	Province codes refer to the province mapping table for mainland China, example value: `22`.	L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
TLS version	`tlsVersion`	The TLS protocol version used by client requests. Data from the last 30 days can be queried.	`TLS1.0` `TLS1.1` `TLS1.2` `TLS1.3`	L7 traffic, L7 bandwidth, L7 requests
URL Path	`url`	The URL path (path) of client requests, excluding query parameters. Data from the last 30 days can be queried.	`/content` or `/content/test.jpg`	L7 traffic, L7 bandwidth, L7 requests
Referer	`referer`	The Referer header value of client requests, excluding query parameters. Data from the last 30 days can be queried.	`http://www.example.com/`	L7 traffic, L7 bandwidth, L7 requests
Resource type	`resourceType`	The resource type of client requests, that is, the file extension of the requested resources. Data from the last 30 days can be queried.	`.txt` or `.jpg`	L7 traffic, L7 bandwidth, L7 requests
Device type	`deviceType`	The device type of client requests, extracted from the `User-Agent` header. Data from the last 30 days can be queried.	`TV`: Television `Tablet`: Tablet computer `Mobile`: Mobile phone `Desktop`: Computer `Other`: Other	L7 traffic, L7 bandwidth, L7 requests
Browser type	`browserType`	The browser type used in client requests, extracted and categorized from the `User-Agent` header. Data from the last 30 days can be queried.	`Firefox`: Firefox browser; `Chrome`: Chrome browser; `Safari`: Safari browser; `Other`: Other browser types; `Bot`: Search engine crawler; `MicrosoftEdge`: MicrosoftEdge browser; `IE`: IE browser; `Opera`: Opera browser; `QQBrowser`: QQBrowser; `LBBrowser`: LBBrowser; `MaxthonBrowser`: Maxthon browser; `SouGouBrowser`: Sogou browser; `BIDUBrowser`: Baidu Browser; `TaoBrowser`: Tao Browser; `UBrowser`: UC Browser.	L7 traffic, L7 bandwidth, L7 requests
Client Operating System	`operatingSystemType`	The operating system type used in client requests, extracted and categorized from the `User-Agent` header. Data from the last 30 days can be queried.	`Linux`: Linux operating system; `MacOS`: macOS operating system; `Android`: Android operating system; `IOS`: IOS operating system; `Windows`: Windows operating system; `NetBSD`:NetBSD; `ChromiumOS`:ChromiumOS; `Bot`: Search engine crawler; `Other`: Other operating systems;	L7 traffic, L7 bandwidth, L7 requests
IP version	`ipVersion`	The IP address version used by client requests. Data from the last 30 days can be queried.	`4`:IPv4; `6`:IPv6.	L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
HTTP/HTTPS	`socket`	The HTTP protocol type used by client requests.	`HTTP` `HTTPS`	L7 access traffic, L7 access bandwidth, L7 access requests, L7 access response time
Cache status	`cacheType`	Cache status of client requests.	`hit`: The request hits the EdgeOne node cache, and resources are served from the node cache. Partial cache hits are also recorded as hit. `miss`: The request misses the EdgeOne node cache, and resources are provided by the origin server. `dynamic`: The requested resources cannot be cached/are not configured to be cached at the node, and resources are provided by the origin server. `other`: Unrecognized cache status. Requests responded to by edge functions are recorded as other.	L7 traffic, L7 bandwidth, L7 requests
Whether the request has been mitigated by the Web Protection Module	`mitigatedByWebSecurity`	Indicates whether the request has been mitigated by the EdgeOne Web Protection Module. Intercept or challenge actions are considered mitigated.	`yes`: Requests intercepted or challenged by the EdgeOne Web Protection Module. Excludes requests that didn't trigger security rules and requests with final actions of Observe or Allow. `no`: Requests responded by EdgeOne or the origin server after passing through protection.	L7 traffic, L7 bandwidth, L7 requests
Client IP address	`clientIp`	Client IP address. Data from the last 30 days can be queried. When the operator is equals/does not equal, multiple values are supported.	`1.1.1.1`	L7 traffic, L7 bandwidth, L7 requests, L7 protection hits
User-Agent	`userAgent`	The `User-Agent` header value of client requests. Data from the last 30 days can be queried.	`Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15`	L7 traffic, L7 bandwidth, L7 requests
Layer 4 proxy forwarding rules	`ruleId`	Specific forwarding rules for L4 proxy instances.	`rule-3ddvs7nn3xap`	TCP/UDP Application Metrics
L4 proxy instance	`proxyId`	L4 proxy instance.	`sid-3ddun6tk0l9k`	TCP/UDP Application Metrics
Edge function name	-	The unique identifier of an EdgeOne edge function instance.	`test1-zone-3e25s02xxbxe-1257620286`	Edge Function Metrics
Edge Function Execution Result	-	Edge function execution result.	Successful. Failed.	Edge Function Metrics
DNS Response Code	-	DNS resolution response status code.	`NOError`: no error, successful response. `NXDomain`: non-existent record. `NotImp`: Not implemented, DNS server does not support the requested query type; for implemented query types, refer to Record Type Introduction. `Refused`: Refused, the DNS server declined to perform the specified operation due to policy.	number of DNS resolutions
DNS record	-	DNS record type.	Refer to Record Type Introduction.	DNS resolution number
DNS region	-	Continent of client request source.	Asia Europe Africa Oceania America	number of DNS resolutions
Request disposition result	-	Web protection rules request disposition method.	Observation	L7 protection hit count
Rule ID	-	Request hits Web protection rule ID.	`2186065971`	L7 protection number of hits
Anti-DDoS instance	-	Anti-DDoS instance.		L3/4 DDoS Attack Protection Related Metrics
EdgeOne Shield space	-	EdgeOne Shield space.		EdgeOne Shield Related Metrics

Operator	Description
Equal to	Data where the filter item equals any specified value.
Not equal to	Data where the filter item is not equal to any specified value.
Include	Query data where fields such as URL, Referer, or Resource Type contain specified strings (for example: query `URL containing /example` data).
Not included	Query data where fields such as URL, Referer, or Resource Type do not contain specified strings (for example: query data where `URL does not contain /example`).
Starts with	Query data where fields such as URL, Referer, or Resource Type prefix match specified strings.
Does not start with	Query data where fields such as URL, Referer, or Resource Type do not prefix match specified strings.
Ends with	Query data where fields such as URL, Referer, or Resource Type suffix match specified strings.
Does not end with	Query data where fields such as URL, Referer, or Resource Type do not suffix match specified strings.