create database IF NOT EXISTS tsg_galaxy_v3 ON CLUSTER js_datahouse;

CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event_local on cluster js_datahouse (
    vsys_id Int32 COMMENT 'Vsys ID',
    recv_time Int64 COMMENT 'Receive Time',
    log_id UInt64 COMMENT 'Log ID',
    profile_id Int64 COMMENT 'Profile ID',
    start_time Int64 COMMENT 'Start Time',
    end_time Int64 COMMENT 'End Time',
    attack_type String COMMENT 'Attack Type',
    severity String COMMENT 'Severity',
    conditions String COMMENT 'Conditions',
    destination_ip String COMMENT 'Destination IP',
    destination_country String COMMENT 'Destination Country',
    source_ip_list String COMMENT 'Source IP List',
    source_country_list String COMMENT 'Source Country List',
    session_rate Int64 COMMENT 'Sessions/s',
    packet_rate Int64 COMMENT 'Packets/s',
    bit_rate Int64 COMMENT 'Bits/s'

) ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/dos_event_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id,destination_ip,recv_time,log_id)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;

CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event on cluster js_datahouse (
    vsys_id Int32 COMMENT 'Vsys ID',
    recv_time Int64 COMMENT 'Receive Time',
    log_id UInt64 COMMENT 'Log ID',
    profile_id Int64 COMMENT 'Profile ID',
    start_time Int64 COMMENT 'Start Time',
    end_time Int64 COMMENT 'End Time',
    attack_type String COMMENT 'Attack Type',
    severity String COMMENT 'Severity',
    conditions String COMMENT 'Conditions',
    destination_ip String COMMENT 'Destination IP',
    destination_country String COMMENT 'Destination Country',
    source_ip_list String COMMENT 'Source IP List',
    source_country_list String COMMENT 'Source Country List',
    session_rate Int64 COMMENT 'Sessions/s',
    packet_rate Int64 COMMENT 'Packets/s',
    bit_rate Int64 COMMENT 'Bits/s'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,dos_event_local,rand());


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.assessment_event_local on cluster js_datahouse (
    log_id UInt64 COMMENT 'Log ID',
    recv_time Int64 COMMENT 'Receive Time',
    vsys_id Int64 COMMENT 'Vsys ID',
    assessment_date Int64 COMMENT 'Assessment Date',
    lot_number String COMMENT 'Lot Number',
    file_name String COMMENT 'File Name',
    assessment_file String COMMENT 'Assessment File',
    assessment_type String COMMENT 'Assessment Type',
    features String COMMENT 'Features',
    size Int64 COMMENT 'Size',
    file_checksum_sha String COMMENT 'File Checksum SHA'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/assessment_event_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id,recv_time,log_id)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;

CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.assessment_event on cluster js_datahouse (
    log_id UInt64 COMMENT 'Log ID',
    recv_time Int64 COMMENT 'Receive Time',
    vsys_id Int64 COMMENT 'Vsys ID',
    assessment_date Int64 COMMENT 'Assessment Date',
    lot_number String COMMENT 'Lot Number',
    file_name String COMMENT 'File Name',
    assessment_file String COMMENT 'Assessment File',
    assessment_type String COMMENT 'Assessment Type',
    features String COMMENT 'Features',
    size Int64 COMMENT 'Size',
    file_checksum_sha String COMMENT 'File Checksum SHA'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,assessment_event_local,rand());


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.session_record_local on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
ssl_version String COMMENT 'SSL Version',
ssl_sni String COMMENT 'SSL SNI',
ssl_san String COMMENT 'SSL SAN',
ssl_cn String COMMENT 'SSL CN',
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
dtls_cookie String COMMENT 'DTLS Cookie',
dtls_version String COMMENT 'DTLS Version',
dtls_sni String COMMENT 'DTLS SNI',
dtls_san String COMMENT 'DTLS SAN',
dtls_cn String COMMENT 'DTLS CN',
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
ftp_account String COMMENT 'FTP Account',
ftp_url String COMMENT 'FTP URL',
ftp_link_type String COMMENT 'FTP Link Type',
quic_version String COMMENT 'QUIC Version',
quic_sni String COMMENT 'QUIC SNI',
quic_user_agent String COMMENT 'QUIC User-Agent',
rdp_cookie String COMMENT 'RDP Cookie',
rdp_security_protocol String COMMENT 'RDP Security Protocol',
rdp_client_channels String COMMENT 'RDP Client Channels',
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
rdp_client_version String COMMENT 'RDP Client Version',
rdp_client_name String COMMENT 'RDP Client Name',
rdp_client_product_id String COMMENT 'RDP Client Product ID',
rdp_desktop_width String COMMENT 'RDP Desktop Width',
rdp_desktop_height String COMMENT 'RDP Desktop Height',
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
rdp_certificate_type String COMMENT 'RDP Certificate Type',
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
rdp_encryption_level String COMMENT 'RDP Encryption Level',
rdp_encryption_method String COMMENT 'RDP Encryption Method',
ssh_version String COMMENT 'SSH Version',
ssh_auth_success String COMMENT 'SSH Authentication Result',
ssh_client_version String COMMENT 'SSH Client Version',
ssh_server_version String COMMENT 'SSH Server Version',
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
ssh_hassh String COMMENT 'SSH HASSH',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
stratum_mining_program String COMMENT 'Stratum Mining Program',
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/session_record_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.session_record on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
ssl_version String COMMENT 'SSL Version',
ssl_sni String COMMENT 'SSL SNI',
ssl_san String COMMENT 'SSL SAN',
ssl_cn String COMMENT 'SSL CN',
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
dtls_cookie String COMMENT 'DTLS Cookie',
dtls_version String COMMENT 'DTLS Version',
dtls_sni String COMMENT 'DTLS SNI',
dtls_san String COMMENT 'DTLS SAN',
dtls_cn String COMMENT 'DTLS CN',
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
ftp_account String COMMENT 'FTP Account',
ftp_url String COMMENT 'FTP URL',
ftp_link_type String COMMENT 'FTP Link Type',
quic_version String COMMENT 'QUIC Version',
quic_sni String COMMENT 'QUIC SNI',
quic_user_agent String COMMENT 'QUIC User-Agent',
rdp_cookie String COMMENT 'RDP Cookie',
rdp_security_protocol String COMMENT 'RDP Security Protocol',
rdp_client_channels String COMMENT 'RDP Client Channels',
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
rdp_client_version String COMMENT 'RDP Client Version',
rdp_client_name String COMMENT 'RDP Client Name',
rdp_client_product_id String COMMENT 'RDP Client Product ID',
rdp_desktop_width String COMMENT 'RDP Desktop Width',
rdp_desktop_height String COMMENT 'RDP Desktop Height',
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
rdp_certificate_type String COMMENT 'RDP Certificate Type',
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
rdp_encryption_level String COMMENT 'RDP Encryption Level',
rdp_encryption_method String COMMENT 'RDP Encryption Method',
ssh_version String COMMENT 'SSH Version',
ssh_auth_success String COMMENT 'SSH Authentication Result',
ssh_client_version String COMMENT 'SSH Client Version',
ssh_server_version String COMMENT 'SSH Server Version',
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
ssh_hassh String COMMENT 'SSH HASSH',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
stratum_mining_program String COMMENT 'Stratum Mining Program',
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,session_record_local,rand());



CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.security_event_local on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
ssl_version String COMMENT 'SSL Version',
ssl_sni String COMMENT 'SSL SNI',
ssl_san String COMMENT 'SSL SAN',
ssl_cn String COMMENT 'SSL CN',
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
dtls_cookie String COMMENT 'DTLS Cookie',
dtls_version String COMMENT 'DTLS Version',
dtls_sni String COMMENT 'DTLS SNI',
dtls_san String COMMENT 'DTLS SAN',
dtls_cn String COMMENT 'DTLS CN',
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
ftp_account String COMMENT 'FTP Account',
ftp_url String COMMENT 'FTP URL',
ftp_link_type String COMMENT 'FTP Link Type',
quic_version String COMMENT 'QUIC Version',
quic_sni String COMMENT 'QUIC SNI',
quic_user_agent String COMMENT 'QUIC User-Agent',
rdp_cookie String COMMENT 'RDP Cookie',
rdp_security_protocol String COMMENT 'RDP Security Protocol',
rdp_client_channels String COMMENT 'RDP Client Channels',
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
rdp_client_version String COMMENT 'RDP Client Version',
rdp_client_name String COMMENT 'RDP Client Name',
rdp_client_product_id String COMMENT 'RDP Client Product ID',
rdp_desktop_width String COMMENT 'RDP Desktop Width',
rdp_desktop_height String COMMENT 'RDP Desktop Height',
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
rdp_certificate_type String COMMENT 'RDP Certificate Type',
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
rdp_encryption_level String COMMENT 'RDP Encryption Level',
rdp_encryption_method String COMMENT 'RDP Encryption Method',
ssh_version String COMMENT 'SSH Version',
ssh_auth_success String COMMENT 'SSH Authentication Result',
ssh_client_version String COMMENT 'SSH Client Version',
ssh_server_version String COMMENT 'SSH Server Version',
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
ssh_hassh String COMMENT 'SSH HASSH',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
stratum_mining_program String COMMENT 'Stratum Mining Program',
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/security_event_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;

CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.security_event on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
ssl_version String COMMENT 'SSL Version',
ssl_sni String COMMENT 'SSL SNI',
ssl_san String COMMENT 'SSL SAN',
ssl_cn String COMMENT 'SSL CN',
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
dtls_cookie String COMMENT 'DTLS Cookie',
dtls_version String COMMENT 'DTLS Version',
dtls_sni String COMMENT 'DTLS SNI',
dtls_san String COMMENT 'DTLS SAN',
dtls_cn String COMMENT 'DTLS CN',
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
ftp_account String COMMENT 'FTP Account',
ftp_url String COMMENT 'FTP URL',
ftp_link_type String COMMENT 'FTP Link Type',
quic_version String COMMENT 'QUIC Version',
quic_sni String COMMENT 'QUIC SNI',
quic_user_agent String COMMENT 'QUIC User-Agent',
rdp_cookie String COMMENT 'RDP Cookie',
rdp_security_protocol String COMMENT 'RDP Security Protocol',
rdp_client_channels String COMMENT 'RDP Client Channels',
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
rdp_client_version String COMMENT 'RDP Client Version',
rdp_client_name String COMMENT 'RDP Client Name',
rdp_client_product_id String COMMENT 'RDP Client Product ID',
rdp_desktop_width String COMMENT 'RDP Desktop Width',
rdp_desktop_height String COMMENT 'RDP Desktop Height',
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
rdp_certificate_type String COMMENT 'RDP Certificate Type',
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
rdp_encryption_level String COMMENT 'RDP Encryption Level',
rdp_encryption_method String COMMENT 'RDP Encryption Method',
ssh_version String COMMENT 'SSH Version',
ssh_auth_success String COMMENT 'SSH Authentication Result',
ssh_client_version String COMMENT 'SSH Client Version',
ssh_server_version String COMMENT 'SSH Server Version',
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
ssh_hassh String COMMENT 'SSH HASSH',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
stratum_mining_program String COMMENT 'Stratum Mining Program',
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,security_event_local,rand());


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.monitor_event_local on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
ssl_version String COMMENT 'SSL Version',
ssl_sni String COMMENT 'SSL SNI',
ssl_san String COMMENT 'SSL SAN',
ssl_cn String COMMENT 'SSL CN',
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
dtls_cookie String COMMENT 'DTLS Cookie',
dtls_version String COMMENT 'DTLS Version',
dtls_sni String COMMENT 'DTLS SNI',
dtls_san String COMMENT 'DTLS SAN',
dtls_cn String COMMENT 'DTLS CN',
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
ftp_account String COMMENT 'FTP Account',
ftp_url String COMMENT 'FTP URL',
ftp_link_type String COMMENT 'FTP Link Type',
quic_version String COMMENT 'QUIC Version',
quic_sni String COMMENT 'QUIC SNI',
quic_user_agent String COMMENT 'QUIC User-Agent',
rdp_cookie String COMMENT 'RDP Cookie',
rdp_security_protocol String COMMENT 'RDP Security Protocol',
rdp_client_channels String COMMENT 'RDP Client Channels',
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
rdp_client_version String COMMENT 'RDP Client Version',
rdp_client_name String COMMENT 'RDP Client Name',
rdp_client_product_id String COMMENT 'RDP Client Product ID',
rdp_desktop_width String COMMENT 'RDP Desktop Width',
rdp_desktop_height String COMMENT 'RDP Desktop Height',
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
rdp_certificate_type String COMMENT 'RDP Certificate Type',
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
rdp_encryption_level String COMMENT 'RDP Encryption Level',
rdp_encryption_method String COMMENT 'RDP Encryption Method',
ssh_version String COMMENT 'SSH Version',
ssh_auth_success String COMMENT 'SSH Authentication Result',
ssh_client_version String COMMENT 'SSH Client Version',
ssh_server_version String COMMENT 'SSH Server Version',
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
ssh_hassh String COMMENT 'SSH HASSH',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
stratum_mining_program String COMMENT 'Stratum Mining Program',
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/monitor_event_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;

CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.monitor_event on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
ssl_version String COMMENT 'SSL Version',
ssl_sni String COMMENT 'SSL SNI',
ssl_san String COMMENT 'SSL SAN',
ssl_cn String COMMENT 'SSL CN',
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
dtls_cookie String COMMENT 'DTLS Cookie',
dtls_version String COMMENT 'DTLS Version',
dtls_sni String COMMENT 'DTLS SNI',
dtls_san String COMMENT 'DTLS SAN',
dtls_cn String COMMENT 'DTLS CN',
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
ftp_account String COMMENT 'FTP Account',
ftp_url String COMMENT 'FTP URL',
ftp_link_type String COMMENT 'FTP Link Type',
quic_version String COMMENT 'QUIC Version',
quic_sni String COMMENT 'QUIC SNI',
quic_user_agent String COMMENT 'QUIC User-Agent',
rdp_cookie String COMMENT 'RDP Cookie',
rdp_security_protocol String COMMENT 'RDP Security Protocol',
rdp_client_channels String COMMENT 'RDP Client Channels',
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
rdp_client_version String COMMENT 'RDP Client Version',
rdp_client_name String COMMENT 'RDP Client Name',
rdp_client_product_id String COMMENT 'RDP Client Product ID',
rdp_desktop_width String COMMENT 'RDP Desktop Width',
rdp_desktop_height String COMMENT 'RDP Desktop Height',
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
rdp_certificate_type String COMMENT 'RDP Certificate Type',
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
rdp_encryption_level String COMMENT 'RDP Encryption Level',
rdp_encryption_method String COMMENT 'RDP Encryption Method',
ssh_version String COMMENT 'SSH Version',
ssh_auth_success String COMMENT 'SSH Authentication Result',
ssh_client_version String COMMENT 'SSH Client Version',
ssh_server_version String COMMENT 'SSH Server Version',
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
ssh_hassh String COMMENT 'SSH HASSH',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
stratum_mining_program String COMMENT 'Stratum Mining Program',
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,monitor_event_local,rand());



CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.transaction_record_local on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/transaction_record_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id,session_id,recv_time)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.transaction_record on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
dns_qr Nullable(Int32) COMMENT 'DNS QR',
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
dns_aa Nullable(Int32) COMMENT 'DNS AA',
dns_tc Nullable(Int32) COMMENT 'DNS TC',
dns_rd Nullable(Int32) COMMENT 'DNS RD',
dns_ra Nullable(Int32) COMMENT 'DNS RA',
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
dns_qname String COMMENT 'DNS QNAME',
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
dns_cname String COMMENT 'DNS CNAME',
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
dns_rr String COMMENT 'DNS RR',
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
mail_protocol_type String COMMENT 'MAIL Protocol Type',
mail_account String COMMENT 'MAIL Account',
mail_from_cmd String COMMENT 'MAIL From CMD',
mail_to_cmd String COMMENT 'MAIL To CMD',
mail_from String COMMENT 'MAIL From',
mail_password String COMMENT 'MAIL Password',
mail_to String COMMENT 'MAIL To',
mail_cc String COMMENT 'MAIL CC',
mail_bcc String COMMENT 'MAIL BCC',
mail_subject String COMMENT 'MAIL Subject',
mail_subject_charset String COMMENT 'MAIL Subject Charset',
mail_attachment_name String COMMENT 'MAIL Content',
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
mail_eml_file String COMMENT 'MAIL Attachment Name',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,transaction_record_local,rand());



alter table tsg_galaxy_v3.session_record_local on cluster js_datahouse add INDEX IF NOT EXISTS client_index client_ip type bloom_filter(0.05) GRANULARITY 1;
alter table tsg_galaxy_v3.transaction_record_local on cluster js_datahouse add INDEX IF NOT EXISTS client_index client_ip type bloom_filter(0.05) GRANULARITY 1;


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.voip_record_local on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/voip_record_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id,decoded_as,data_center, device_group,recv_time)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;

CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.voip_record on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
sip_call_id String COMMENT 'SIP Call-ID',
sip_originator_description String COMMENT 'SIP Originator',
sip_responder_description String COMMENT 'SIP Responder',
sip_user_agent String COMMENT 'SIP User-Agent',
sip_server String COMMENT 'SIP Server',
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
sip_bye String COMMENT 'SIP Bye',
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
rtp_pcap_path String COMMENT 'RTP PCAP',
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,voip_record_local,rand());



CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.proxy_event_local on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
doh_url String COMMENT 'DoH URL',
doh_host String COMMENT 'DoH Host',
doh_request_line String COMMENT 'DoH Request Line',
doh_response_line String COMMENT 'DoH Response Line',
doh_cookie String COMMENT 'DoH Cookie',
doh_referer String COMMENT 'DoH Referer',
doh_user_agent String COMMENT 'DoH User-Agent',
doh_content_length String COMMENT 'DoH Content Length',
doh_content_type String COMMENT 'DoH Content Type',
doh_set_cookie String COMMENT 'DoH Set Cookie',
doh_version String COMMENT 'DoH Version',
doh_message_id Int64 COMMENT 'DoH Message ID',
doh_qr Nullable(Int64) COMMENT 'DoH QR',
doh_opcode Nullable(Int64) COMMENT 'DoH OPCODE',
doh_aa Nullable(Int64) COMMENT 'DoH AA',
doh_tc Nullable(Int64) COMMENT 'DoH TC',
doh_rd Nullable(Int64) COMMENT 'DoH RD',
doh_ra Nullable(Int64) COMMENT 'DoH RA',
doh_rcode Nullable(Int64) COMMENT 'DoH RCODE',
doh_qdcount Nullable(Int64) COMMENT 'DoH QDCOUNT',
doh_ancount Nullable(Int64) COMMENT 'DoH ANCOUNT',
doh_nscount Nullable(Int64) COMMENT 'DoH NSCOUNT',
doh_arcount Nullable(Int64) COMMENT 'DoH ARCOUNT',
doh_qname String COMMENT 'DoH QNAME',
doh_qtype Nullable(Int64) COMMENT 'DoH QTYPE',
doh_qclass Nullable(Int64) COMMENT 'DoH QCLASS',
doh_cname String COMMENT 'DoH CNAME',
doh_sub Nullable(Int64) COMMENT 'DoH SUB',
doh_rr String COMMENT 'DoH RR',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/proxy_event_local', '{replica}')
PARTITION BY toYYYYMMDD(toDate(recv_time))
ORDER BY (vsys_id,proxy_action,decoded_as,data_center, device_group,recv_time)
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
;


CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.proxy_event on cluster js_datahouse (
recv_time Int64 COMMENT 'Receive Time',
log_id UInt64 COMMENT 'Log ID',
decoded_as String COMMENT 'Decoded AS',
session_id UInt64 COMMENT 'Session ID',
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
duration_ms Int32 COMMENT 'Duration',
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
ingestion_time Int64 COMMENT 'Ingestion Time',
processing_time Int64 COMMENT 'Processing Time',
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
device_id String COMMENT 'Device ID',
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
device_tag String COMMENT 'Device Tag',
data_center String COMMENT 'Data Center',
device_group String COMMENT 'Device Group',
sled_ip String COMMENT 'Sled IP',
address_type Int32 COMMENT 'Address Type',
vsys_id Int32 COMMENT 'Vsys ID',
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
flags Int64 COMMENT 'Flags',
flags_identify_info String COMMENT 'Flags Identify Info',
security_rule_list Array(Int64) COMMENT 'Security Rule List',
security_action String COMMENT 'Security Action',
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
proxy_action String COMMENT 'Proxy Action',
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
client_ip String COMMENT 'Client IP',
client_port Int32 COMMENT 'Client Port',
client_os_desc String COMMENT 'Client OS Description',
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
client_asn Nullable(Int64) COMMENT 'Client ASN',
subscriber_id String COMMENT 'Subscriber ID',
imei String COMMENT 'IMEI',
imsi String COMMENT 'IMSI',
phone_number String COMMENT 'Phone Number',
apn String COMMENT 'APN',
server_ip String COMMENT 'Server IP',
server_port Int32 COMMENT 'Server Port',
server_os_desc String COMMENT 'Server OS Description',
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
server_asn Nullable(Int64) COMMENT 'Server ASN',
server_fqdn String COMMENT 'Server FQDN',
server_domain String COMMENT 'Server Domain',
app_transition String COMMENT 'Application Transition',
app LowCardinality(String) COMMENT 'Application',
app_debug_info String COMMENT 'Application Debug Info',
app_content String COMMENT 'Application Content',
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
http_url String COMMENT 'HTTP URL',
http_host String COMMENT 'HTTP Host',
http_request_line String COMMENT 'HTTP Request Line',
http_response_line String COMMENT 'HTTP Response Line',
http_request_body String COMMENT 'HTTP Request Body',
http_response_body String COMMENT 'HTTP Response Body',
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
http_cookie String COMMENT 'HTTP Cookie',
http_referer String COMMENT 'HTTP Referer',
http_user_agent String COMMENT 'HTTP User-Agent',
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
http_request_content_type String COMMENT 'HTTP Request Content-Type',
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
http_response_content_type String COMMENT 'HTTP Response Content-Type',
http_set_cookie String COMMENT 'HTTP Set-Cookie',
http_version String COMMENT 'HTTP Version',
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
doh_url String COMMENT 'DoH URL',
doh_host String COMMENT 'DoH Host',
doh_request_line String COMMENT 'DoH Request Line',
doh_response_line String COMMENT 'DoH Response Line',
doh_cookie String COMMENT 'DoH Cookie',
doh_referer String COMMENT 'DoH Referer',
doh_user_agent String COMMENT 'DoH User-Agent',
doh_content_length String COMMENT 'DoH Content Length',
doh_content_type String COMMENT 'DoH Content Type',
doh_set_cookie String COMMENT 'DoH Set Cookie',
doh_version String COMMENT 'DoH Version',
doh_message_id Int64 COMMENT 'DoH Message ID',
doh_qr Nullable(Int64) COMMENT 'DoH QR',
doh_opcode Nullable(Int64) COMMENT 'DoH OPCODE',
doh_aa Nullable(Int64) COMMENT 'DoH AA',
doh_tc Nullable(Int64) COMMENT 'DoH TC',
doh_rd Nullable(Int64) COMMENT 'DoH RD',
doh_ra Nullable(Int64) COMMENT 'DoH RA',
doh_rcode Nullable(Int64) COMMENT 'DoH RCODE',
doh_qdcount Nullable(Int64) COMMENT 'DoH QDCOUNT',
doh_ancount Nullable(Int64) COMMENT 'DoH ANCOUNT',
doh_nscount Nullable(Int64) COMMENT 'DoH NSCOUNT',
doh_arcount Nullable(Int64) COMMENT 'DoH ARCOUNT',
doh_qname String COMMENT 'DoH QNAME',
doh_qtype Nullable(Int64) COMMENT 'DoH QTYPE',
doh_qclass Nullable(Int64) COMMENT 'DoH QCLASS',
doh_cname String COMMENT 'DoH CNAME',
doh_sub Nullable(Int64) COMMENT 'DoH SUB',
doh_rr String COMMENT 'DoH RR',
sent_pkts Int64 COMMENT 'Packets Sent',
received_pkts Int64 COMMENT 'Packets Received',
sent_bytes Int64 COMMENT 'Bytes Sent',
received_bytes Int64 COMMENT 'Bytes Received',
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
packet_capture_file String COMMENT 'Packet Capture File',
in_src_mac String COMMENT 'Incoming Source MAC',
out_src_mac String COMMENT 'Outgoing Source MAC',
in_dest_mac String COMMENT 'Incoming Destination MAC',
out_dest_mac String COMMENT 'Outgoing Destination MAC',
encapsulation String COMMENT 'Encapsulation',
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
)
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,proxy_event_local,rand());


-- tsg_galaxy_v3.security_event_materialized_view
CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.security_event_materialized_view on cluster js_datahouse 
TO tsg_galaxy_v3.security_event_local
(
    recv_time Int64,
    log_id UInt64,
    decoded_as String,
    session_id UInt64,
    start_timestamp_ms DateTime64(3),
    end_timestamp_ms DateTime64(3),
    duration_ms Int32,
    tcp_handshake_latency_ms Nullable(Int32),
    ingestion_time Int64,
    processing_time Int64,
    -- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
    device_id String,
    out_link_id Nullable(Int32),
    in_link_id Nullable(Int32),
    device_tag String,
    data_center String,
    device_group String,
    sled_ip String,
    address_type Int32,
    vsys_id Int32,
    t_vsys_id Int32,
    flags Int64,
    flags_identify_info String,
    security_rule_list Array(Int64),
    security_action String,
    monitor_rule_list Array(Int64),
    shaping_rule_list Array(Int64),
    proxy_rule_list Array(Int64),
    statistics_rule_list Array(Int64),
    sc_rule_list Array(Int64),
    sc_rsp_raw Array(Int64),
    sc_rsp_decrypted Array(Int64),
    proxy_action String,
    proxy_pinning_status Nullable(Int32),
    proxy_intercept_status Nullable(Int32),
    proxy_passthrough_reason String,
    proxy_client_side_latency_ms Nullable(Int32),
    proxy_server_side_latency_ms Nullable(Int32),
    proxy_client_side_version String,
    proxy_server_side_version String,
    proxy_cert_verify Nullable(Int32),
    proxy_intercept_error String,
    monitor_mirrored_pkts Nullable(Int32),
    monitor_mirrored_bytes Nullable(Int32),
    client_ip String,
    client_port Int32,
    client_os_desc String,
    client_geolocation LowCardinality(String),
    client_asn Nullable(Int64),
    subscriber_id String,
    imei String,
    imsi String,
    phone_number String,
    apn String,
    server_ip String,
    server_port Int32,
    server_os_desc String,
    server_geolocation LowCardinality(String),
    server_asn Nullable(Int64),
    server_fqdn String,
    server_domain String,
    app_transition String, 
    app LowCardinality(String),
    app_debug_info String,
    app_content String,
    fqdn_category_list Array(Int64),
    ip_protocol LowCardinality(String),
    decoded_path LowCardinality(String),
    dns_message_id Nullable(Int32),
    dns_qr Nullable(Int32),
    dns_opcode Nullable(Int32),
    dns_aa Nullable(Int32),
    dns_tc Nullable(Int32),
    dns_rd Nullable(Int32),
    dns_ra Nullable(Int32),
    dns_rcode Nullable(Int32),
    dns_qdcount Nullable(Int32),
    dns_ancount Nullable(Int32),
    dns_nscount Nullable(Int32),
    dns_arcount Nullable(Int32),
    dns_qname String,
    dns_qtype Nullable(Int32),
    dns_qclass Nullable(Int32),
    dns_cname String,
    dns_sub Nullable(Int32),
    dns_rr String,
    dns_response_latency_ms Nullable(Int32),
    http_url String,
    http_host String,
    http_request_line String,
    http_response_line String,
    http_request_body String,
    http_response_body String,
    http_proxy_flag Nullable(Int32),
    http_sequence Nullable(Int32),
    http_cookie String,
    http_referer String,
    http_user_agent String,
    http_request_content_length Nullable(Int64),
    http_request_content_type String,
    http_response_content_length Nullable(Int64),
    http_response_content_type String,
    http_set_cookie String,
    http_version String,
    http_status_code Nullable(Int32),
    http_response_latency_ms Nullable(Int32),
    http_session_duration_ms Nullable(Int32),
    http_action_file_size Nullable(Int64),
    ssl_version String,
    ssl_sni String,
    ssl_san String,
    ssl_cn String,
    ssl_handshake_latency_ms Nullable(Int32),
    ssl_ja3_hash String,
    ssl_ja3s_hash String,
    ssl_cert_issuer String,
    ssl_cert_subject String,
    ssl_esni_flag Nullable(Int32),
    ssl_ech_flag Nullable(Int32),
    dtls_cookie String,
    dtls_version  String,
    dtls_sni String,
    dtls_san String,
    dtls_cn String,
    dtls_handshake_latency_ms Nullable(Int32),
    dtls_ja3_fingerprint String,
    dtls_ja3_hash String,
    dtls_cert_issuer String,
    dtls_cert_subject String,
    mail_protocol_type String,
    mail_account String,
    mail_from_cmd String,
    mail_to_cmd String,
    mail_from String,
    mail_password String,
    mail_to String,
    mail_cc String,
    mail_bcc String,
    mail_subject String,
    mail_subject_charset String,
    mail_attachment_name String,
    mail_attachment_name_charset String,
    mail_eml_file String,
    ftp_account String,
    ftp_url String,
    ftp_link_type String,
    quic_version String,
    quic_sni String,
    quic_user_agent String,
    rdp_cookie String,
    rdp_security_protocol String,
    rdp_client_channels String,
    rdp_keyboard_layout String,
    rdp_client_version String,
    rdp_client_name String,
    rdp_client_product_id String,
    rdp_desktop_width String,
    rdp_desktop_height String,
    rdp_requested_color_depth String,
    rdp_certificate_type String,
    rdp_certificate_count Nullable(Int32),
    rdp_certificate_permanent Nullable(Int32),
    rdp_encryption_level String,
    rdp_encryption_method String,
    ssh_version String,
    ssh_auth_success String,
    ssh_client_version String,
    ssh_server_version String,
    ssh_cipher_alg String,
    ssh_mac_alg String,
    ssh_compression_alg String,
    ssh_kex_alg String,
    ssh_host_key_alg String,
    ssh_host_key String,
    ssh_hassh String,
    sip_call_id String,
    sip_originator_description String,
    sip_responder_description String,
    sip_user_agent String,
    sip_server String,
    sip_originator_sdp_connect_ip String,
    sip_originator_sdp_media_port Nullable(Int32),
    sip_originator_sdp_media_type String,
    sip_originator_sdp_content String,
    sip_responder_sdp_connect_ip String,
    sip_responder_sdp_media_port Nullable(Int32),
    sip_responder_sdp_media_type String,
    sip_responder_sdp_content String,
    sip_duration_s Nullable(Int32),
    sip_bye String,
    rtp_payload_type_c2s Nullable(Int32),
    rtp_payload_type_s2c Nullable(Int32),
    rtp_pcap_path String,
    rtp_originator_dir Nullable(Int32),
    stratum_cryptocurrency String,
    stratum_mining_pools String,
    stratum_mining_program String,
    stratum_mining_subscribe String,
    sent_pkts Int64,
    received_pkts Int64,
    sent_bytes Int64,
    received_bytes Int64,
    tcp_c2s_ip_fragments Nullable(Int64),
    tcp_s2c_ip_fragments Nullable(Int64),
    tcp_c2s_lost_bytes Nullable(Int64),
    tcp_s2c_lost_bytes Nullable(Int64),
    tcp_c2s_o3_pkts Nullable(Int64),
    tcp_s2c_o3_pkts Nullable(Int64),
    tcp_c2s_rtx_pkts Nullable(Int64),
    tcp_s2c_rtx_pkts Nullable(Int64),
    tcp_c2s_rtx_bytes Nullable(Int64),
    tcp_s2c_rtx_bytes Nullable(Int64),
    tcp_rtt_ms Nullable(Int32),
    tcp_client_isn Nullable(Int64),
    tcp_server_isn Nullable(Int64),
    packet_capture_file String,
    in_src_mac String,
    out_src_mac String,
    in_dest_mac String,
    out_dest_mac String,
    encapsulation String,
    dup_traffic_flag Nullable(Int32),
    tunnel_endpoint_a_desc String,
    tunnel_endpoint_b_desc String
) 
AS
SELECT
    recv_time,
    log_id,
    decoded_as,
    session_id,
    start_timestamp_ms,
    end_timestamp_ms,
    duration_ms,
    tcp_handshake_latency_ms,
    ingestion_time,
    processing_time,
    -- insert_time,
    device_id,
    out_link_id,
    in_link_id,
    device_tag,
    data_center,
    device_group,
    sled_ip,
    address_type,
    vsys_id,
    t_vsys_id,
    flags,
    flags_identify_info,
    security_rule_list,
    security_action,
    monitor_rule_list,
    shaping_rule_list,
    proxy_rule_list,
    statistics_rule_list,
    sc_rule_list,
    sc_rsp_raw,
    sc_rsp_decrypted,
    proxy_action,
    proxy_pinning_status,
    proxy_intercept_status,
    proxy_passthrough_reason,
    proxy_client_side_latency_ms,
    proxy_server_side_latency_ms,
    proxy_client_side_version,
    proxy_server_side_version,
    proxy_cert_verify,
    proxy_intercept_error,
    monitor_mirrored_pkts,
    monitor_mirrored_bytes,
    client_ip,
    client_port,
    client_os_desc,
    client_geolocation,
    client_asn,
    subscriber_id,
    imei,
    imsi,
    phone_number,
    apn,
    server_ip,
    server_port,
    server_os_desc,
    server_geolocation,
    server_asn,
    server_fqdn,
    server_domain,
    app_transition,
    app,
    app_debug_info,
    app_content,
    fqdn_category_list,
    ip_protocol,
    decoded_path,
    dns_message_id,
    dns_qr,
    dns_opcode,
    dns_aa,
    dns_tc,
    dns_rd,
    dns_ra,
    dns_rcode,
    dns_qdcount,
    dns_ancount,
    dns_nscount,
    dns_arcount,
    dns_qname,
    dns_qtype,
    dns_qclass,
    dns_cname,
    dns_sub,
    dns_rr,
    dns_response_latency_ms,
    http_url,
    http_host,
    http_request_line,
    http_response_line,
    http_request_body,
    http_response_body,
    http_proxy_flag,
    http_sequence,
    http_cookie,
    http_referer,
    http_user_agent,
    http_request_content_length,
    http_request_content_type,
    http_response_content_length,
    http_response_content_type,
    http_set_cookie,
    http_version,
    http_status_code,
    http_response_latency_ms,
    http_session_duration_ms,
    http_action_file_size,
    ssl_version,
    ssl_sni,
    ssl_san,
    ssl_cn,
    ssl_handshake_latency_ms,
    ssl_ja3_hash,
    ssl_ja3s_hash,
    ssl_cert_issuer,
    ssl_cert_subject,
    ssl_esni_flag,
    ssl_ech_flag,
    dtls_cookie,
    dtls_version,
    dtls_sni,
    dtls_san,
    dtls_cn,
    dtls_handshake_latency_ms,
    dtls_ja3_fingerprint,
    dtls_ja3_hash,
    dtls_cert_issuer,
    dtls_cert_subject,
    mail_protocol_type,
    mail_account,
    mail_from_cmd,
    mail_to_cmd,
    mail_from,
    mail_password,
    mail_to,
    mail_cc,
    mail_bcc,
    mail_subject,
    mail_subject_charset,
    mail_attachment_name,
    mail_attachment_name_charset,
    mail_eml_file,
    ftp_account,
    ftp_url,
    ftp_link_type,
    quic_version,
    quic_sni,
    quic_user_agent,
    rdp_cookie,
    rdp_security_protocol,
    rdp_client_channels,
    rdp_keyboard_layout,
    rdp_client_version,
    rdp_client_name,
    rdp_client_product_id,
    rdp_desktop_width,
    rdp_desktop_height,
    rdp_requested_color_depth,
    rdp_certificate_type,
    rdp_certificate_count,
    rdp_certificate_permanent,
    rdp_encryption_level,
    rdp_encryption_method,
    ssh_version,
    ssh_auth_success,
    ssh_client_version,
    ssh_server_version,
    ssh_cipher_alg,
    ssh_mac_alg,
    ssh_compression_alg,
    ssh_kex_alg,
    ssh_host_key_alg,
    ssh_host_key,
    ssh_hassh,
    sip_call_id,
    sip_originator_description,
    sip_responder_description,
    sip_user_agent,
    sip_server,
    sip_originator_sdp_connect_ip,
    sip_originator_sdp_media_port,
    sip_originator_sdp_media_type,
    sip_originator_sdp_content,
    sip_responder_sdp_connect_ip,
    sip_responder_sdp_media_port,
    sip_responder_sdp_media_type,
    sip_responder_sdp_content,
    sip_duration_s,
    sip_bye,
    rtp_payload_type_c2s,
    rtp_payload_type_s2c,
    rtp_pcap_path,
    rtp_originator_dir,
    stratum_cryptocurrency,
    stratum_mining_pools,
    stratum_mining_program,
    stratum_mining_subscribe,
    sent_pkts,
    received_pkts,
    sent_bytes,
    received_bytes,
    tcp_c2s_ip_fragments,
    tcp_s2c_ip_fragments,
    tcp_c2s_lost_bytes,
    tcp_s2c_lost_bytes,
    tcp_c2s_o3_pkts,
    tcp_s2c_o3_pkts,
    tcp_c2s_rtx_pkts,
    tcp_s2c_rtx_pkts,
    tcp_c2s_rtx_bytes,
    tcp_s2c_rtx_bytes,
    tcp_rtt_ms,
    tcp_client_isn,
    tcp_server_isn,
    packet_capture_file,
    in_src_mac,
    out_src_mac,
    in_dest_mac,
    out_dest_mac,
    encapsulation,
    dup_traffic_flag,
    tunnel_endpoint_a_desc,
    tunnel_endpoint_b_desc
FROM tsg_galaxy_v3.session_record_local
WHERE empty(security_rule_list) = 0
;

-- tsg_galaxy_v3.monitor_event_materialized_view
CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.monitor_event_materialized_view on cluster js_datahouse 
TO tsg_galaxy_v3.monitor_event_local
(
    recv_time Int64,
    log_id UInt64,
    decoded_as String,
    session_id UInt64,
    start_timestamp_ms DateTime64(3),
    end_timestamp_ms DateTime64(3),
    duration_ms Int32,
    tcp_handshake_latency_ms Nullable(Int32),
    ingestion_time Int64,
    processing_time Int64,
    -- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
    device_id String,
    out_link_id Nullable(Int32),
    in_link_id Nullable(Int32),
    device_tag String,
    data_center String,
    device_group String,
    sled_ip String,
    address_type Int32,
    vsys_id Int32,
    t_vsys_id Int32,
    flags Int64,
    flags_identify_info String,
    security_rule_list Array(Int64),
    security_action String,
    monitor_rule_list Array(Int64),
    shaping_rule_list Array(Int64),
    proxy_rule_list Array(Int64),
    statistics_rule_list Array(Int64),
    sc_rule_list Array(Int64),
    sc_rsp_raw Array(Int64),
    sc_rsp_decrypted Array(Int64),
    proxy_action String,
    proxy_pinning_status Nullable(Int32),
    proxy_intercept_status Nullable(Int32),
    proxy_passthrough_reason String,
    proxy_client_side_latency_ms Nullable(Int32),
    proxy_server_side_latency_ms Nullable(Int32),
    proxy_client_side_version String,
    proxy_server_side_version String,
    proxy_cert_verify Nullable(Int32),
    proxy_intercept_error String,
    monitor_mirrored_pkts Nullable(Int32),
    monitor_mirrored_bytes Nullable(Int32),
    client_ip String,
    client_port Int32,
    client_os_desc String,
    client_geolocation LowCardinality(String),
    client_asn Nullable(Int64),
    subscriber_id String,
    imei String,
    imsi String,
    phone_number String,
    apn String,
    server_ip String,
    server_port Int32,
    server_os_desc String,
    server_geolocation LowCardinality(String),
    server_asn Nullable(Int64),
    server_fqdn String,
    server_domain String,
    app_transition String, 
    app LowCardinality(String),
    app_debug_info String,
    app_content String,
    fqdn_category_list Array(Int64),
    ip_protocol LowCardinality(String),
    decoded_path LowCardinality(String),
    dns_message_id Nullable(Int32),
    dns_qr Nullable(Int32),
    dns_opcode Nullable(Int32),
    dns_aa Nullable(Int32),
    dns_tc Nullable(Int32),
    dns_rd Nullable(Int32),
    dns_ra Nullable(Int32),
    dns_rcode Nullable(Int32),
    dns_qdcount Nullable(Int32),
    dns_ancount Nullable(Int32),
    dns_nscount Nullable(Int32),
    dns_arcount Nullable(Int32),
    dns_qname String,
    dns_qtype Nullable(Int32),
    dns_qclass Nullable(Int32),
    dns_cname String,
    dns_sub Nullable(Int32),
    dns_rr String,
    dns_response_latency_ms Nullable(Int32),
    http_url String,
    http_host String,
    http_request_line String,
    http_response_line String,
    http_request_body String,
    http_response_body String,
    http_proxy_flag Nullable(Int32),
    http_sequence Nullable(Int32),
    http_cookie String,
    http_referer String,
    http_user_agent String,
    http_request_content_length Nullable(Int64),
    http_request_content_type String,
    http_response_content_length Nullable(Int64),
    http_response_content_type String,
    http_set_cookie String,
    http_version String,
    http_status_code Nullable(Int32),
    http_response_latency_ms Nullable(Int32),
    http_session_duration_ms Nullable(Int32),
    http_action_file_size Nullable(Int64),
    ssl_version String,
    ssl_sni String,
    ssl_san String,
    ssl_cn String,
    ssl_handshake_latency_ms Nullable(Int32),
    ssl_ja3_hash String,
    ssl_ja3s_hash String,
    ssl_cert_issuer String,
    ssl_cert_subject String,
    ssl_esni_flag Nullable(Int32),
    ssl_ech_flag Nullable(Int32),
    dtls_cookie String,
    dtls_version  String,
    dtls_sni String,
    dtls_san String,
    dtls_cn String,
    dtls_handshake_latency_ms Nullable(Int32),
    dtls_ja3_fingerprint String,
    dtls_ja3_hash String,
    dtls_cert_issuer String,
    dtls_cert_subject String,
    mail_protocol_type String,
    mail_account String,
    mail_from_cmd String,
    mail_to_cmd String,
    mail_from String,
    mail_password String,
    mail_to String,
    mail_cc String,
    mail_bcc String,
    mail_subject String,
    mail_subject_charset String,
    mail_attachment_name String,
    mail_attachment_name_charset String,
    mail_eml_file String,
    ftp_account String,
    ftp_url String,
    ftp_link_type String,
    quic_version String,
    quic_sni String,
    quic_user_agent String,
    rdp_cookie String,
    rdp_security_protocol String,
    rdp_client_channels String,
    rdp_keyboard_layout String,
    rdp_client_version String,
    rdp_client_name String,
    rdp_client_product_id String,
    rdp_desktop_width String,
    rdp_desktop_height String,
    rdp_requested_color_depth String,
    rdp_certificate_type String,
    rdp_certificate_count Nullable(Int32),
    rdp_certificate_permanent Nullable(Int32),
    rdp_encryption_level String,
    rdp_encryption_method String,
    ssh_version String,
    ssh_auth_success String,
    ssh_client_version String,
    ssh_server_version String,
    ssh_cipher_alg String,
    ssh_mac_alg String,
    ssh_compression_alg String,
    ssh_kex_alg String,
    ssh_host_key_alg String,
    ssh_host_key String,
    ssh_hassh String,
    sip_call_id String,
    sip_originator_description String,
    sip_responder_description String,
    sip_user_agent String,
    sip_server String,
    sip_originator_sdp_connect_ip String,
    sip_originator_sdp_media_port Nullable(Int32),
    sip_originator_sdp_media_type String,
    sip_originator_sdp_content String,
    sip_responder_sdp_connect_ip String,
    sip_responder_sdp_media_port Nullable(Int32),
    sip_responder_sdp_media_type String,
    sip_responder_sdp_content String,
    sip_duration_s Nullable(Int32),
    sip_bye String,
    rtp_payload_type_c2s Nullable(Int32),
    rtp_payload_type_s2c Nullable(Int32),
    rtp_pcap_path String,
    rtp_originator_dir Nullable(Int32),
    stratum_cryptocurrency String,
    stratum_mining_pools String,
    stratum_mining_program String,
    stratum_mining_subscribe String,
    sent_pkts Int64,
    received_pkts Int64,
    sent_bytes Int64,
    received_bytes Int64,
    tcp_c2s_ip_fragments Nullable(Int64),
    tcp_s2c_ip_fragments Nullable(Int64),
    tcp_c2s_lost_bytes Nullable(Int64),
    tcp_s2c_lost_bytes Nullable(Int64),
    tcp_c2s_o3_pkts Nullable(Int64),
    tcp_s2c_o3_pkts Nullable(Int64),
    tcp_c2s_rtx_pkts Nullable(Int64),
    tcp_s2c_rtx_pkts Nullable(Int64),
    tcp_c2s_rtx_bytes Nullable(Int64),
    tcp_s2c_rtx_bytes Nullable(Int64),
    tcp_rtt_ms Nullable(Int32),
    tcp_client_isn Nullable(Int64),
    tcp_server_isn Nullable(Int64),
    packet_capture_file String,
    in_src_mac String,
    out_src_mac String,
    in_dest_mac String,
    out_dest_mac String,
    encapsulation String,
    dup_traffic_flag Nullable(Int32),
    tunnel_endpoint_a_desc String,
    tunnel_endpoint_b_desc String
) 
AS
SELECT
    recv_time,
    log_id,
    decoded_as,
    session_id,
    start_timestamp_ms,
    end_timestamp_ms,
    duration_ms,
    tcp_handshake_latency_ms,
    ingestion_time,
    processing_time,
    -- insert_time,
    device_id,
    out_link_id,
    in_link_id,
    device_tag,
    data_center,
    device_group,
    sled_ip,
    address_type,
    vsys_id,
    t_vsys_id,
    flags,
    flags_identify_info,
    security_rule_list,
    security_action,
    monitor_rule_list,
    shaping_rule_list,
    proxy_rule_list,
    statistics_rule_list,
    sc_rule_list,
    sc_rsp_raw,
    sc_rsp_decrypted,
    proxy_action,
    proxy_pinning_status,
    proxy_intercept_status,
    proxy_passthrough_reason,
    proxy_client_side_latency_ms,
    proxy_server_side_latency_ms,
    proxy_client_side_version,
    proxy_server_side_version,
    proxy_cert_verify,
    proxy_intercept_error,
    monitor_mirrored_pkts,
    monitor_mirrored_bytes,
    client_ip,
    client_port,
    client_os_desc,
    client_geolocation,
    client_asn,
    subscriber_id,
    imei,
    imsi,
    phone_number,
    apn,
    server_ip,
    server_port,
    server_os_desc,
    server_geolocation,
    server_asn,
    server_fqdn,
    server_domain,
    app_transition,
    app,
    app_debug_info,
    app_content,
    fqdn_category_list,
    ip_protocol,
    decoded_path,
    dns_message_id,
    dns_qr,
    dns_opcode,
    dns_aa,
    dns_tc,
    dns_rd,
    dns_ra,
    dns_rcode,
    dns_qdcount,
    dns_ancount,
    dns_nscount,
    dns_arcount,
    dns_qname,
    dns_qtype,
    dns_qclass,
    dns_cname,
    dns_sub,
    dns_rr,
    dns_response_latency_ms,
    http_url,
    http_host,
    http_request_line,
    http_response_line,
    http_request_body,
    http_response_body,
    http_proxy_flag,
    http_sequence,
    http_cookie,
    http_referer,
    http_user_agent,
    http_request_content_length,
    http_request_content_type,
    http_response_content_length,
    http_response_content_type,
    http_set_cookie,
    http_version,
    http_status_code,
    http_response_latency_ms,
    http_session_duration_ms,
    http_action_file_size,
    ssl_version,
    ssl_sni,
    ssl_san,
    ssl_cn,
    ssl_handshake_latency_ms,
    ssl_ja3_hash,
    ssl_ja3s_hash,
    ssl_cert_issuer,
    ssl_cert_subject,
    ssl_esni_flag,
    ssl_ech_flag,
    dtls_cookie,
    dtls_version,
    dtls_sni,
    dtls_san,
    dtls_cn,
    dtls_handshake_latency_ms,
    dtls_ja3_fingerprint,
    dtls_ja3_hash,
    dtls_cert_issuer,
    dtls_cert_subject,
    mail_protocol_type,
    mail_account,
    mail_from_cmd,
    mail_to_cmd,
    mail_from,
    mail_password,
    mail_to,
    mail_cc,
    mail_bcc,
    mail_subject,
    mail_subject_charset,
    mail_attachment_name,
    mail_attachment_name_charset,
    mail_eml_file,
    ftp_account,
    ftp_url,
    ftp_link_type,
    quic_version,
    quic_sni,
    quic_user_agent,
    rdp_cookie,
    rdp_security_protocol,
    rdp_client_channels,
    rdp_keyboard_layout,
    rdp_client_version,
    rdp_client_name,
    rdp_client_product_id,
    rdp_desktop_width,
    rdp_desktop_height,
    rdp_requested_color_depth,
    rdp_certificate_type,
    rdp_certificate_count,
    rdp_certificate_permanent,
    rdp_encryption_level,
    rdp_encryption_method,
    ssh_version,
    ssh_auth_success,
    ssh_client_version,
    ssh_server_version,
    ssh_cipher_alg,
    ssh_mac_alg,
    ssh_compression_alg,
    ssh_kex_alg,
    ssh_host_key_alg,
    ssh_host_key,
    ssh_hassh,
    sip_call_id,
    sip_originator_description,
    sip_responder_description,
    sip_user_agent,
    sip_server,
    sip_originator_sdp_connect_ip,
    sip_originator_sdp_media_port,
    sip_originator_sdp_media_type,
    sip_originator_sdp_content,
    sip_responder_sdp_connect_ip,
    sip_responder_sdp_media_port,
    sip_responder_sdp_media_type,
    sip_responder_sdp_content,
    sip_duration_s,
    sip_bye,
    rtp_payload_type_c2s,
    rtp_payload_type_s2c,
    rtp_pcap_path,
    rtp_originator_dir,
    stratum_cryptocurrency,
    stratum_mining_pools,
    stratum_mining_program,
    stratum_mining_subscribe,
    sent_pkts,
    received_pkts,
    sent_bytes,
    received_bytes,
    tcp_c2s_ip_fragments,
    tcp_s2c_ip_fragments,
    tcp_c2s_lost_bytes,
    tcp_s2c_lost_bytes,
    tcp_c2s_o3_pkts,
    tcp_s2c_o3_pkts,
    tcp_c2s_rtx_pkts,
    tcp_s2c_rtx_pkts,
    tcp_c2s_rtx_bytes,
    tcp_s2c_rtx_bytes,
    tcp_rtt_ms,
    tcp_client_isn,
    tcp_server_isn,
    packet_capture_file,
    in_src_mac,
    out_src_mac,
    in_dest_mac,
    out_dest_mac,
    encapsulation,
    dup_traffic_flag,
    tunnel_endpoint_a_desc,
    tunnel_endpoint_b_desc
FROM tsg_galaxy_v3.session_record_local
WHERE empty(monitor_rule_list) = 0
;