{ "functions": { "aggregation": [ { "name": "COUNT", "label": "COUNT", "function": "count(expr)" }, { "name": "COUNT_DISTINCT", "label": "COUNT_DISTINCT", "function": "count(distinct expr)" }, { "name": "AVG", "label": "AVG", "function": "avg(expr)" }, { "name": "SUM", "label": "SUM", "function": "sum(expr)" }, { "name": "MAX", "label": "MAX", "function": "max(expr)" }, { "name": "MIN", "label": "MIN", "function": "min(expr)" } ], "operator": [ { "name": "=", "label": "=", "function": "expr = value" }, { "name": "!=", "label": "!=", "function": "expr != value" }, { "name": ">", "label": ">", "function": "expr > value" }, { "name": "<", "label": "<", "function": "expr < value" }, { "name": ">=", "label": ">=", "function": "expr >= value" }, { "name": "<=", "label": "<=", "function": "expr <= value" }, { "name": "has", "label": "HAS", "function": "has(expr, value)" }, { "name": "in", "label": "IN", "function": "expr in (values)" }, { "name": "not in", "label": "NOT IN", "function": "expr not in (values)" }, { "name": "like", "label": "LIKE", "function": "expr like value" }, { "name": "not like", "label": "NOT LIKE", "function": "expr not like value" }, { "name": "notEmpty", "label": "NOT EMPTY", "function": "notEmpty(expr)" }, { "name": "empty", "label": "EMPTY", "function": "empty(expr)" } ] }, "schema_query": { "references": { "aggregation": [ { "type": "int", "functions": "COUNT,COUNT_DISTINCT,AVG,SUM,MAX,MIN" }, { "type": "long", "functions": "COUNT,COUNT_DISTINCT,AVG,SUM,MAX,MIN" }, { "type": "float", "functions": "COUNT,COUNT_DISTINCT,AVG,SUM,MAX,MIN" }, { "type": "double", "functions": "COUNT,COUNT_DISTINCT,AVG,SUM,MAX,MIN" }, { "type": "string", "functions": "COUNT,COUNT_DISTINCT" }, { "type": "date", "functions": "COUNT,COUNT_DISTINCT,MAX,MIN" }, { "type": "timestamp", "functions": "COUNT,COUNT_DISTINCT,MAX,MIN" } ], "operator": [ { "type": "int", "functions": "=,!=,>,<,>=,<=,in,not in" }, { "type": "long", "functions": "=,!=,>,<,>=,<=,in,not in" }, { "type": "float", "functions": "=,!=,>,<,>=,<=" }, { "type": "double", "functions": "=,!=,>,<,>=,<=" }, { "type": "string", "functions": "=,!=,in,not in,like,not like,notEmpty,empty" }, { "type": "date", "functions": "=,!=,>,<,>=,<=" }, { "type": "timestamp", "functions": "=,!=,>,<,>=,<=" }, { "type": "array", "functions": "has" } ] } }, "schema_type": { "BASE": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_service_category", "common_l7_protocol", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "common_server_ip", "common_server_port" ] }, "HTTP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_service_category", "common_l7_protocol", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "http_url", "http_host", "http_domain", "http_request_line", "http_response_line", "http_request_header", "http_response_header", "http_request_content", "http_request_content_length", "http_request_content_type", "http_response_content", "http_response_content_length", "http_response_content_type", "http_request_body", "http_response_body", "http_request_body_key", "http_response_body_key", "http_proxy_flag", "http_sequence", "http_snapshot", "http_cookie", "http_referer", "http_user_agent", "http_content_length", "http_content_type", "http_set_cookie", "http_version", "http_response_latency_ms", "http_session_duration_ms", "http_action_file_size" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "http_url", "common_server_port", "common_sub_action" ] }, "MAIL": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "mail_protocol_type", "mail_account", "mail_from_cmd", "mail_to_cmd", "mail_from", "mail_to", "mail_cc", "mail_bcc", "mail_subject", "mail_subject_charset", "mail_content", "mail_content_charset", "mail_attachment_name", "mail_attachment_name_charset", "mail_attachment_content", "mail_eml_file", "mail_snapshot" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "mail_from", "mail_to", "mail_subject" ] }, "DNS": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "dns_message_id", "dns_qr", "dns_opcode", "dns_aa", "dns_tc", "dns_rd", "dns_ra", "dns_rcode", "dns_qdcount", "dns_ancount", "dns_nscount", "dns_arcount", "dns_qname", "dns_qtype", "dns_qclass", "dns_cname", "dns_sub", "dns_rr", "dns_response_latency_ms" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_client_ip", "dns_qr", "dns_qname", "dns_qtype" ] }, "SSL": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "ssl_sni", "ssl_san", "ssl_cn", "ssl_pinningst", "ssl_intercept_state", "ssl_passthrough_reason", "ssl_server_side_latency", "ssl_client_side_latency", "ssl_server_side_version", "ssl_client_side_version", "ssl_cert_verify", "ssl_error", "ssl_con_latency_ms", "ssl_ja3_fingerprint", "ssl_ja3_hash", "ssl_cert_issuer", "ssl_cert_subject" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "ssl_sni", "common_server_ip", "common_server_port" ] }, "QUIC": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "quic_version", "quic_sni", "quic_user_agent" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "quic_sni", "common_server_ip", "common_server_port" ] }, "FTP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "ftp_account", "ftp_url", "ftp_content", "ftp_link_type" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "ftp_url", "common_server_ip", "common_server_port" ] }, "BGP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "bgp_type", "bgp_as_num", "bgp_route" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "bgp_type", "bgp_as_num", "common_server_ip", "common_server_port" ] }, "SIP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "sip_call_id", "sip_originator_description", "sip_responder_description", "sip_user_agent", "sip_server", "sip_originator_sdp_connect_ip", "sip_originator_sdp_media_port", "sip_originator_sdp_media_type", "sip_originator_sdp_content", "sip_responder_sdp_connect_ip", "sip_responder_sdp_media_port", "sip_responder_sdp_media_type", "sip_responder_sdp_content", "sip_duration_s", "sip_bye" ], "default_columns": [ "common_recv_time", "common_log_id", "common_subscriber_id", "common_client_ip", "sip_originator_description", "sip_responder_description", "sip_call_id", "common_server_ip", "common_server_port" ] }, "RTP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "rtp_payload_type_c2s", "rtp_payload_type_s2c", "rtp_pcap_path", "rtp_originator_dir" ], "default_columns": [ "common_recv_time", "common_log_id", "common_subscriber_id", "common_client_ip", "common_server_ip", "common_server_port", "rtp_pcap_path", "rtp_originator_dir" ] }, "APP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "app_extra_info" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "common_app_id", "common_app_label", "app_extra_info", "common_server_ip", "common_server_port" ] }, "DoH": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "doh_url", "doh_host", "doh_request_line", "doh_response_line", "doh_cookie", "doh_referer", "doh_user_agent", "doh_content_length", "doh_content_type", "doh_set_cookie", "doh_version", "doh_message_id", "doh_qr", "doh_opcode", "doh_aa", "doh_tc", "doh_rd", "doh_ra", "doh_rcode", "doh_qdcount", "doh_ancount", "doh_nscount", "doh_arcount", "doh_qname", "doh_qtype", "doh_qclass", "doh_cname", "doh_sub", "doh_rr" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_client_ip", "doh_url", "doh_qname", "common_server_port" ] }, "VoIP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "sip_call_id", "sip_originator_description", "sip_responder_description", "sip_user_agent", "sip_server", "sip_originator_sdp_connect_ip", "sip_originator_sdp_media_port", "sip_originator_sdp_media_type", "sip_originator_sdp_content", "sip_responder_sdp_connect_ip", "sip_responder_sdp_media_port", "sip_responder_sdp_media_type", "sip_responder_sdp_content", "sip_duration_s", "sip_bye", "rtp_payload_type_c2s", "rtp_payload_type_s2c", "rtp_pcap_path", "rtp_originator_dir" ], "default_columns": [ "common_recv_time", "common_log_id", "common_subscriber_id", "common_client_ip", "sip_originator_description", "sip_responder_description", "sip_call_id", "common_server_ip", "common_server_port", "rtp_pcap_path", "rtp_originator_dir" ] }, "SSH": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "ssh_version", "ssh_auth_success", "ssh_client_version", "ssh_server_version", "ssh_cipher_alg", "ssh_mac_alg", "ssh_compression_alg", "ssh_kex_alg", "ssh_host_key_alg", "ssh_host_key", "ssh_hassh" ], "default_columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_client_ip", "common_server_ip", "common_server_port", "ssh_auth_success" ] }, "RADIUS": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "radius_packet_type", "radius_nas_ip", "radius_framed_ip", "radius_account", "radius_session_timeout", "radius_idle_timeout", "radius_acct_status_type", "radius_acct_terminate_cause", "radius_event_timestamp", "radius_nas_port", "radius_service_type", "radius_framed_protocol", "radius_callback_number", "radius_callback_id", "radius_termination_action", "radius_called_station_id", "radius_calling_station_id", "radius_acct_delay_time", "radius_acct_session_id", "radius_acct_multi_session_id", "radius_acct_input_octets", "radius_acct_output_octets", "radius_acct_input_packets", "radius_acct_output_packets", "radius_acct_session_time", "radius_acct_link_count", "radius_acct_interim_interval", "radius_acct_authentic" ], "default_columns": [ "common_recv_time", "common_log_id", "common_subscriber_id", "radius_nas_ip", "radius_framed_ip", "radius_acct_status_type" ] }, "Stratum": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "stratum_cryptocurrency", "stratum_mining_pools", "stratum_mining_program" ], "default_columns": [ "common_recv_time", "common_log_id", "common_subscriber_id", "stratum_cryptocurrency", "stratum_mining_pools", "stratum_mining_program" ] }, "RDP": { "columns": [ "common_recv_time", "common_log_id", "common_policy_id", "common_subscriber_id", "common_imei", "common_imsi", "common_phone_number", "common_client_ip", "common_client_port", "common_internal_ip", "common_l4_protocol", "common_address_type", "common_server_ip", "common_server_port", "common_external_ip", "common_action", "common_direction", "common_entrance_id", "common_sled_ip", "common_client_location", "common_client_asn", "common_server_location", "common_server_asn", "common_sessions", "common_c2s_pkt_num", "common_s2c_pkt_num", "common_c2s_byte_num", "common_s2c_byte_num", "common_c2s_pkt_diff", "common_s2c_pkt_diff", "common_c2s_byte_diff", "common_s2c_byte_diff", "common_service", "common_schema_type", "common_user_tags", "common_sub_action", "common_user_region", "common_device_id", "common_egress_link_id", "common_ingress_link_id", "common_isp", "common_device_tag", "common_data_center", "common_device_group", "common_app_behavior", "common_encapsulation", "common_app_label", "common_tunnels", "common_protocol_label", "common_app_id", "common_userdefine_app_name", "common_app_identify_info", "common_app_surrogate_id", "common_l7_protocol", "common_service_category", "common_start_time", "common_end_time", "common_establish_latency_ms", "common_con_duration_ms", "common_stream_dir", "common_address_list", "common_has_dup_traffic", "common_stream_error", "common_stream_trace_id", "common_link_info_c2s", "common_link_info_s2c", "common_packet_capture_file", "common_c2s_ipfrag_num", "common_s2c_ipfrag_num", "common_c2s_tcp_lostlen", "common_s2c_tcp_lostlen", "common_c2s_tcp_unorder_num", "common_s2c_tcp_unorder_num", "common_c2s_pkt_retrans", "common_s2c_pkt_retrans", "common_c2s_byte_retrans", "common_s2c_byte_retrans", "common_tcp_client_isn", "common_tcp_server_isn", "common_first_ttl", "common_processing_time", "common_ingestion_time", "common_mirrored_pkts", "common_mirrored_bytes", "rdp_cookie", "rdp_security_protocol", "rdp_client_channels", "rdp_keyboard_layout", "rdp_client_version", "rdp_client_name", "rdp_client_product_id", "rdp_desktop_width", "rdp_desktop_height", "rdp_requested_color_depth", "rdp_certificate_type", "rdp_certificate_count", "rdp_certificate_permanent", "rdp_encryption_level", "rdp_encryption_method" ], "default_columns": [ "common_recv_time", "common_log_id", "common_subscriber_id", "rdp_client_version", "rdp_client_name" ] } }, "tunnel_type": { "GTP": [ { "name": "gtp_sgw_ip", "label": "S-GW IP", "type": "string" }, { "name": "gtp_pgw_ip", "label": "P-GW IP", "type": "string" }, { "name": "gtp_sgw_port", "label": "S-GW Port", "type": "int" }, { "name": "gtp_pgw_port", "label": "P-GW Port", "type": "int" }, { "name": "gtp_uplink_teid", "label": "Uplink TEID", "type": "long" }, { "name": "gtp_downlink_teid", "label": "Downlink TEID", "type": "long" } ], "MPLS": [ { "name": "mpls_c2s_direction_label", "label": "Multiprotocol Label (c2s)", "type": { "type": "array", "items": "int" } }, { "name": "mpls_s2c_direction_label", "label": "Multiprotocol Label (s2c)", "type": { "type": "array", "items": "int" } } ], "VLAN": [ { "name": "vlan_c2s_direction_id", "label": "VLAN Direction (c2s)", "type": { "type": "array", "items": "int" } }, { "name": "vlan_s2c_direction_id", "label": "VLAN Direction (s2c)", "type": { "type": "array", "items": "int" } } ], "ETHERNET": [ { "name": "source_mac", "label": "Source MAC", "type": "string" }, { "name": "destination_mac", "label": "Destination MAC", "type": "string" } ], "MULTIPATH_ETHERNET": [ { "name": "c2s_source_mac", "label": "Source MAC (c2s)", "type": "string" }, { "name": "c2s_destination_mac", "label": "Destination MAC (c2s)", "type": "string" }, { "name": "s2c_source_mac", "label": "Source MAC (s2c)", "type": "string" }, { "name": "s2c_destination_mac", "label": "Destination MAC (s2c)", "type": "string" } ], "L2TP": [ { "name": "l2tp_version", "label": "Version", "type": "string" }, { "name": "l2tp_lac2lns_tunnel_id", "label": "LAC2LNS Tunnel ID", "type": "int" }, { "name": "l2tp_lns2lac_tunnel_id", "label": "LNS2LAC Tunnel ID", "type": "int" }, { "name": "l2tp_lac2lns_session_id", "label": "LAC2LNS Session ID", "type": "int" }, { "name": "l2tp_lns2lac_session_id", "label": "LNS2LAC Session ID", "type": "int" }, { "name": "l2tp_access_concentrator_ip", "label": "Access Concentrator IP", "type": "string" }, { "name": "l2tp_access_concentrator_port", "label": "Access Concentrator Port", "type": "int" }, { "name": "l2tp_network_server_ip", "label": "Network Server IP", "type": "string" }, { "name": "l2tp_network_server_port", "label": "Network Server Port", "type": "int" } ], "PPTP": [ { "name": "pptp_uplink_tunnel_id", "label": "UpLink Tunnel ID", "type": "int" }, { "name": "pptp_downlink_tunnel_id", "label": "Down Tunnel ID", "type": "int" } ] }, "fields": { "common_encapsulation": { "data": [ { "code": "0", "value": "Ethernet" }, { "code": "8", "value": "PPP" }, { "code": "12", "value": "CiscoHDLC" } ] }, "common_has_dup_traffic": { "data": [ { "code": "0", "value": "No" }, { "code": "1", "value": "Yes" } ] } } }