From 9f10cb3f84cc593e5818eeb79f16c8f8d77789f1 Mon Sep 17 00:00:00 2001
From: lifengchao <lifengchao@geedgenetworks.com>
Date: Tue, 5 Nov 2024 09:25:36 +0800
Subject: [PATCH] =?UTF-8?q?TSG-23367=20Clickhouse=E6=96=B0=E5=A2=9E?=
 =?UTF-8?q?=E5=85=AC=E5=85=B1=E5=AD=97=E6=AE=B5subscriber=5Fid=5Fhmac,=20p?=
 =?UTF-8?q?hone=5Fnumber=5Fhmac?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../tsg_olap_clickhouse_ddl.sql               |   44 +-
 .../tsg_olap_clickhouse_ddl_check.sql         |   11 +-
 .../tsg_olap_clickhouse_ddl_24.11.sql         | 3535 +++++++++++++++++
 .../tsg_olap_clickhouse_ddl_check_24.11.sql   |   23 +
 .../tsg_olap_clickhouse_ddl_upgrade_24.11.sql | 1073 +++++
 5 files changed, 4673 insertions(+), 13 deletions(-)
 create mode 100644 tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_24.11.sql
 create mode 100644 tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_check_24.11.sql
 create mode 100644 tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_upgrade_24.11.sql

diff --git a/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl.sql b/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl.sql
index af8653a..10b5573 100644
--- a/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl.sql
+++ b/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl.sql
@@ -11,16 +11,18 @@ CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event_local on cluster ck_cluster (
     attack_type String,
     severity String,
     conditions String,
+    source_ip String,
+    source_country String,
     destination_ip String,
     destination_country String,
     source_ip_list String,
     source_country_list String,
     sessions Int64,
-    session_rate Int64,
+    session_rate Float64,
     packets Int64,
-    packet_rate Int64,
+    packet_rate Float64,
     bytes Int64,
-    bit_rate Int64
+    bit_rate Float64
 )
 ENGINE = MergeTree
 PARTITION BY toYYYYMMDD(toDate(recv_time))
@@ -37,16 +39,18 @@ CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event on cluster ck_cluster (
     attack_type String,
     severity String,
     conditions String,
+    source_ip String,
+    source_country String,
     destination_ip String,
     destination_country String,
     source_ip_list String,
     source_country_list String,
     sessions Int64,
-    session_rate Int64,
+    session_rate Float64,
     packets Int64,
-    packet_rate Int64,
+    packet_rate Float64,
     bytes Int64,
-    bit_rate Int64
+    bit_rate Float64
 )
 ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,dos_event_local,rand());
 
@@ -153,9 +157,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -413,9 +419,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -671,9 +679,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -930,9 +940,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -1188,9 +1200,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -1447,9 +1461,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -2043,9 +2059,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -2219,9 +2237,11 @@ client_administrative_area String,
 client_sub_administrative_area String,
 client_asn Nullable(Int64),
 subscriber_id String,
+subscriber_id_hmac String,
 imei String,
 imsi String,
 phone_number String,
+phone_number_hmac String,
 apn String,
 mobile_identify String,
 server_ip String,
@@ -2396,9 +2416,11 @@ TO tsg_galaxy_v3.security_event_local
     client_sub_administrative_area String,
     client_asn Nullable(Int64),
     subscriber_id String,
+    subscriber_id_hmac String,
     imei String,
     imsi String,
     phone_number String,
+    phone_number_hmac String,
     apn String,
     mobile_identify String,
     server_ip String,
@@ -2652,9 +2674,11 @@ SELECT
     client_sub_administrative_area,
     client_asn,
     subscriber_id,
+    subscriber_id_hmac,
     imei,
     imsi,
     phone_number,
+    phone_number_hmac,
     apn,
     mobile_identify,
     server_ip,
@@ -2842,7 +2866,7 @@ SELECT
     tunnel_endpoint_a_desc,
     tunnel_endpoint_b_desc
 FROM tsg_galaxy_v3.session_record_local
-WHERE empty(security_rule_uuid_list) = 0
+WHERE notEmpty(security_rule_uuid_list)
 ;
 
 -- tsg_galaxy_v3.monitor_event_materialized_view
@@ -2913,9 +2937,11 @@ TO tsg_galaxy_v3.monitor_event_local
     client_sub_administrative_area String,
     client_asn Nullable(Int64),
     subscriber_id String,
+    subscriber_id_hmac String,
     imei String,
     imsi String,
     phone_number String,
+    phone_number_hmac String,
     apn String,
     mobile_identify String,
     server_ip String,
@@ -3169,9 +3195,11 @@ SELECT
     client_sub_administrative_area,
     client_asn,
     subscriber_id,
+    subscriber_id_hmac,
     imei,
     imsi,
     phone_number,
+    phone_number_hmac,
     apn,
     mobile_identify,
     server_ip,
@@ -3359,7 +3387,7 @@ SELECT
     tunnel_endpoint_a_desc,
     tunnel_endpoint_b_desc
 FROM tsg_galaxy_v3.session_record_local
-WHERE empty(monitor_rule_uuid_list) = 0
+WHERE notEmpty(monitor_rule_uuid_list)
 ;
 
 
diff --git a/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl_check.sql b/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl_check.sql
index ecac32c..577dffc 100644
--- a/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl_check.sql
+++ b/tsg_olap/installation/clickhouse/最新全量建表语句/tsg_olap_clickhouse_ddl_check.sql
@@ -1,14 +1,14 @@
 SELECT log_id, recv_time, vsys_id, assessment_date, lot_number, file_name, assessment_file, assessment_type, features, `size`, file_checksum_sha
 FROM tsg_galaxy_v3.assessment_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
-SELECT vsys_id, recv_time, log_id, rule_id, rule_uuid, start_time, end_time, attack_type, severity, conditions, destination_ip, destination_country, source_ip_list, source_country_list, sessions, session_rate, packets, packet_rate, bytes, bit_rate
+SELECT vsys_id, recv_time, log_id, rule_id, rule_uuid, start_time, end_time, attack_type, severity, conditions, destination_ip, destination_country, source_ip, source_country, sessions, session_rate, packets, packet_rate, bytes, bit_rate
 FROM tsg_galaxy_v3.dos_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
-SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, imei, imsi, phone_number, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
 FROM tsg_galaxy_v3.monitor_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
-SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, imei, imsi, phone_number, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, doh_url, doh_host, doh_request_line, doh_response_line, doh_cookie, doh_referer, doh_user_agent, doh_content_length, doh_content_type, doh_set_cookie, doh_version, doh_message_id, doh_qr, doh_opcode, doh_aa, doh_tc, doh_rd, doh_ra, doh_rcode, doh_qdcount, doh_ancount, doh_nscount, doh_arcount, doh_qname, doh_qtype, doh_qclass, doh_cname, doh_sub, doh_rr, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, doh_url, doh_host, doh_request_line, doh_response_line, doh_cookie, doh_referer, doh_user_agent, doh_content_length, doh_content_type, doh_set_cookie, doh_version, doh_message_id, doh_qr, doh_opcode, doh_aa, doh_tc, doh_rd, doh_ra, doh_rcode, doh_qdcount, doh_ancount, doh_nscount, doh_arcount, doh_qname, doh_qtype, doh_qclass, doh_cname, doh_sub, doh_rr, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
 FROM tsg_galaxy_v3.proxy_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
-SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, imei, imsi, phone_number, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
 FROM tsg_galaxy_v3.security_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
-SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, imei, imsi, phone_number, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
 FROM tsg_galaxy_v3.session_record where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
 SELECT recv_time, log_id, decoded_as, session_id, ingestion_time, processing_time, insert_time, address_type, vsys_id, client_ip, client_port, server_ip, server_port, sent_pkts, received_pkts, sent_bytes, received_bytes, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason
 FROM tsg_galaxy_v3.transaction_record where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
@@ -19,4 +19,5 @@ FROM tsg_galaxy_v3.datapath_telemetry_record where recv_time >= toUnixTimestamp(
 SELECT log_id, recv_time, vsys_id, device_id, device_group, data_center, direction, ip_protocol, client_ip, server_ip, internal_ip, external_ip, client_country, server_country, client_asn, server_asn, server_fqdn, server_domain, app, app_category, c2s_ttl, s2c_ttl, c2s_link_id, s2c_link_id, sessions, bytes, sent_bytes, received_bytes, pkts, sent_pkts, received_pkts, asymmetric_c2s_flows, asymmetric_s2c_flows, c2s_fragments, s2c_fragments, c2s_tcp_lost_bytes, s2c_tcp_lost_bytes, c2s_tcp_retransmitted_pkts, s2c_tcp_retransmitted_pkts
 FROM tsg_galaxy_v3.traffic_sketch_metric where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
 
+
     
\ No newline at end of file
diff --git a/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_24.11.sql b/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_24.11.sql
new file mode 100644
index 0000000..10b5573
--- /dev/null
+++ b/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_24.11.sql
@@ -0,0 +1,3535 @@
+create database IF NOT EXISTS tsg_galaxy_v3 ON CLUSTER ck_cluster;
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event_local on cluster ck_cluster (
+    vsys_id Int32,
+    recv_time Int64,
+    log_id UInt64,
+    rule_id Int64,
+    rule_uuid String,
+    start_time Int64,
+    end_time Int64,
+    attack_type String,
+    severity String,
+    conditions String,
+    source_ip String,
+    source_country String,
+    destination_ip String,
+    destination_country String,
+    source_ip_list String,
+    source_country_list String,
+    sessions Int64,
+    session_rate Float64,
+    packets Int64,
+    packet_rate Float64,
+    bytes Int64,
+    bit_rate Float64
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,destination_ip,recv_time,log_id);
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event on cluster ck_cluster (
+    vsys_id Int32,
+    recv_time Int64,
+    log_id UInt64,
+    rule_id Int64,
+    rule_uuid String,
+    start_time Int64,
+    end_time Int64,
+    attack_type String,
+    severity String,
+    conditions String,
+    source_ip String,
+    source_country String,
+    destination_ip String,
+    destination_country String,
+    source_ip_list String,
+    source_country_list String,
+    sessions Int64,
+    session_rate Float64,
+    packets Int64,
+    packet_rate Float64,
+    bytes Int64,
+    bit_rate Float64
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,dos_event_local,rand());
+
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.assessment_event_local on cluster ck_cluster (
+        log_id UInt64,
+        recv_time Int64,
+        vsys_id Int64,
+        assessment_date Int64,
+        lot_number String,
+        file_name String,
+        assessment_file        String,
+        assessment_type        String,
+        features String,
+        size Int64,
+        file_checksum_sha String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,recv_time,log_id);
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.assessment_event on cluster ck_cluster (
+        log_id UInt64,
+        recv_time Int64,
+        vsys_id Int64,
+        assessment_date Int64,
+        lot_number String,
+        file_name String,
+        assessment_file        String,
+        assessment_type        String,
+        features String,
+        size Int64,
+        file_checksum_sha String
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,assessment_event_local,rand());
+
+
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.session_record_local on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+ssl_version String,
+ssl_sni String,
+ssl_san String,
+ssl_cn String,
+ssl_handshake_latency_ms Nullable(Int32),
+ssl_ja3_hash String,
+ssl_ja3s_hash String,
+ssl_ja4_fingerprint String,
+ssl_ja4s_fingerprint String,
+ssl_cert_issuer String,
+ssl_cert_subject String,
+ssl_esni_flag Nullable(Int32),
+ssl_ech_flag Nullable(Int32),
+dtls_cookie String,
+dtls_version  String,
+dtls_sni String,
+dtls_san String,
+dtls_cn String,
+dtls_handshake_latency_ms Nullable(Int32),
+dtls_ja3_fingerprint String,
+dtls_ja3_hash String,
+dtls_cert_issuer String,
+dtls_cert_subject String,
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+ftp_account String,
+ftp_url String,
+ftp_link_type String,
+quic_version String,
+quic_sni String,
+quic_user_agent String,
+rdp_cookie String,
+rdp_security_protocol String,
+rdp_client_channels String,
+rdp_keyboard_layout String,
+rdp_client_version String,
+rdp_client_name String,
+rdp_client_product_id String,
+rdp_desktop_width String,
+rdp_desktop_height String,
+rdp_requested_color_depth String,
+rdp_certificate_type String,
+rdp_certificate_count Nullable(Int32),
+rdp_certificate_permanent Nullable(Int32),
+rdp_encryption_level String,
+rdp_encryption_method String,
+ssh_version String,
+ssh_auth_success String,
+ssh_client_version String,
+ssh_server_version String,
+ssh_cipher_alg String,
+ssh_mac_alg String,
+ssh_compression_alg String,
+ssh_kex_alg String,
+ssh_host_key_alg String,
+ssh_host_key String,
+ssh_hassh String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+stratum_cryptocurrency String,
+stratum_mining_pools String,
+stratum_mining_program String,
+stratum_mining_subscribe String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time);
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.session_record on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64,
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+ssl_version String,
+ssl_sni String,
+ssl_san String,
+ssl_cn String,
+ssl_handshake_latency_ms Nullable(Int32),
+ssl_ja3_hash String,
+ssl_ja3s_hash String,
+ssl_ja4_fingerprint String,
+ssl_ja4s_fingerprint String,
+ssl_cert_issuer String,
+ssl_cert_subject String,
+ssl_esni_flag Nullable(Int32),
+ssl_ech_flag Nullable(Int32),
+dtls_cookie String,
+dtls_version  String,
+dtls_sni String,
+dtls_san String,
+dtls_cn String,
+dtls_handshake_latency_ms Nullable(Int32),
+dtls_ja3_fingerprint String,
+dtls_ja3_hash String,
+dtls_cert_issuer String,
+dtls_cert_subject String,
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+ftp_account String,
+ftp_url String,
+ftp_link_type String,
+quic_version String,
+quic_sni String,
+quic_user_agent String,
+rdp_cookie String,
+rdp_security_protocol String,
+rdp_client_channels String,
+rdp_keyboard_layout String,
+rdp_client_version String,
+rdp_client_name String,
+rdp_client_product_id String,
+rdp_desktop_width String,
+rdp_desktop_height String,
+rdp_requested_color_depth String,
+rdp_certificate_type String,
+rdp_certificate_count Nullable(Int32),
+rdp_certificate_permanent Nullable(Int32),
+rdp_encryption_level String,
+rdp_encryption_method String,
+ssh_version String,
+ssh_auth_success String,
+ssh_client_version String,
+ssh_server_version String,
+ssh_cipher_alg String,
+ssh_mac_alg String,
+ssh_compression_alg String,
+ssh_kex_alg String,
+ssh_host_key_alg String,
+ssh_host_key String,
+ssh_hassh String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+stratum_cryptocurrency String,
+stratum_mining_pools String,
+stratum_mining_program String,
+stratum_mining_subscribe String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,session_record_local,rand());
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.security_event_local on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+ssl_version String,
+ssl_sni String,
+ssl_san String,
+ssl_cn String,
+ssl_handshake_latency_ms Nullable(Int32),
+ssl_ja3_hash String,
+ssl_ja3s_hash String,
+ssl_ja4_fingerprint String,
+ssl_ja4s_fingerprint String,
+ssl_cert_issuer String,
+ssl_cert_subject String,
+ssl_esni_flag Nullable(Int32),
+ssl_ech_flag Nullable(Int32),
+dtls_cookie String,
+dtls_version  String,
+dtls_sni String,
+dtls_san String,
+dtls_cn String,
+dtls_handshake_latency_ms Nullable(Int32),
+dtls_ja3_fingerprint String,
+dtls_ja3_hash String,
+dtls_cert_issuer String,
+dtls_cert_subject String,
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+ftp_account String,
+ftp_url String,
+ftp_link_type String,
+quic_version String,
+quic_sni String,
+quic_user_agent String,
+rdp_cookie String,
+rdp_security_protocol String,
+rdp_client_channels String,
+rdp_keyboard_layout String,
+rdp_client_version String,
+rdp_client_name String,
+rdp_client_product_id String,
+rdp_desktop_width String,
+rdp_desktop_height String,
+rdp_requested_color_depth String,
+rdp_certificate_type String,
+rdp_certificate_count Nullable(Int32),
+rdp_certificate_permanent Nullable(Int32),
+rdp_encryption_level String,
+rdp_encryption_method String,
+ssh_version String,
+ssh_auth_success String,
+ssh_client_version String,
+ssh_server_version String,
+ssh_cipher_alg String,
+ssh_mac_alg String,
+ssh_compression_alg String,
+ssh_kex_alg String,
+ssh_host_key_alg String,
+ssh_host_key String,
+ssh_hassh String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+stratum_cryptocurrency String,
+stratum_mining_pools String,
+stratum_mining_program String,
+stratum_mining_subscribe String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time);
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.security_event on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 ,
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+ssl_version String,
+ssl_sni String,
+ssl_san String,
+ssl_cn String,
+ssl_handshake_latency_ms Nullable(Int32),
+ssl_ja3_hash String,
+ssl_ja3s_hash String,
+ssl_ja4_fingerprint String,
+ssl_ja4s_fingerprint String,
+ssl_cert_issuer String,
+ssl_cert_subject String,
+ssl_esni_flag Nullable(Int32),
+ssl_ech_flag Nullable(Int32),
+dtls_cookie String,
+dtls_version  String,
+dtls_sni String,
+dtls_san String,
+dtls_cn String,
+dtls_handshake_latency_ms Nullable(Int32),
+dtls_ja3_fingerprint String,
+dtls_ja3_hash String,
+dtls_cert_issuer String,
+dtls_cert_subject String,
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+ftp_account String,
+ftp_url String,
+ftp_link_type String,
+quic_version String,
+quic_sni String,
+quic_user_agent String,
+rdp_cookie String,
+rdp_security_protocol String,
+rdp_client_channels String,
+rdp_keyboard_layout String,
+rdp_client_version String,
+rdp_client_name String,
+rdp_client_product_id String,
+rdp_desktop_width String,
+rdp_desktop_height String,
+rdp_requested_color_depth String,
+rdp_certificate_type String,
+rdp_certificate_count Nullable(Int32),
+rdp_certificate_permanent Nullable(Int32),
+rdp_encryption_level String,
+rdp_encryption_method String,
+ssh_version String,
+ssh_auth_success String,
+ssh_client_version String,
+ssh_server_version String,
+ssh_cipher_alg String,
+ssh_mac_alg String,
+ssh_compression_alg String,
+ssh_kex_alg String,
+ssh_host_key_alg String,
+ssh_host_key String,
+ssh_hassh String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+stratum_cryptocurrency String,
+stratum_mining_pools String,
+stratum_mining_program String,
+stratum_mining_subscribe String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,security_event_local,rand());
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.monitor_event_local on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+ssl_version String,
+ssl_sni String,
+ssl_san String,
+ssl_cn String,
+ssl_handshake_latency_ms Nullable(Int32),
+ssl_ja3_hash String,
+ssl_ja3s_hash String,
+ssl_ja4_fingerprint String,
+ssl_ja4s_fingerprint String,
+ssl_cert_issuer String,
+ssl_cert_subject String,
+ssl_esni_flag Nullable(Int32),
+ssl_ech_flag Nullable(Int32),
+dtls_cookie String,
+dtls_version  String,
+dtls_sni String,
+dtls_san String,
+dtls_cn String,
+dtls_handshake_latency_ms Nullable(Int32),
+dtls_ja3_fingerprint String,
+dtls_ja3_hash String,
+dtls_cert_issuer String,
+dtls_cert_subject String,
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+ftp_account String,
+ftp_url String,
+ftp_link_type String,
+quic_version String,
+quic_sni String,
+quic_user_agent String,
+rdp_cookie String,
+rdp_security_protocol String,
+rdp_client_channels String,
+rdp_keyboard_layout String,
+rdp_client_version String,
+rdp_client_name String,
+rdp_client_product_id String,
+rdp_desktop_width String,
+rdp_desktop_height String,
+rdp_requested_color_depth String,
+rdp_certificate_type String,
+rdp_certificate_count Nullable(Int32),
+rdp_certificate_permanent Nullable(Int32),
+rdp_encryption_level String,
+rdp_encryption_method String,
+ssh_version String,
+ssh_auth_success String,
+ssh_client_version String,
+ssh_server_version String,
+ssh_cipher_alg String,
+ssh_mac_alg String,
+ssh_compression_alg String,
+ssh_kex_alg String,
+ssh_host_key_alg String,
+ssh_host_key String,
+ssh_hassh String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+stratum_cryptocurrency String,
+stratum_mining_pools String,
+stratum_mining_program String,
+stratum_mining_subscribe String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time);
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.monitor_event on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64,
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+ssl_version String,
+ssl_sni String,
+ssl_san String,
+ssl_cn String,
+ssl_handshake_latency_ms Nullable(Int32),
+ssl_ja3_hash String,
+ssl_ja3s_hash String,
+ssl_ja4_fingerprint String,
+ssl_ja4s_fingerprint String,
+ssl_cert_issuer String,
+ssl_cert_subject String,
+ssl_esni_flag Nullable(Int32),
+ssl_ech_flag Nullable(Int32),
+dtls_cookie String,
+dtls_version  String,
+dtls_sni String,
+dtls_san String,
+dtls_cn String,
+dtls_handshake_latency_ms Nullable(Int32),
+dtls_ja3_fingerprint String,
+dtls_ja3_hash String,
+dtls_cert_issuer String,
+dtls_cert_subject String,
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+ftp_account String,
+ftp_url String,
+ftp_link_type String,
+quic_version String,
+quic_sni String,
+quic_user_agent String,
+rdp_cookie String,
+rdp_security_protocol String,
+rdp_client_channels String,
+rdp_keyboard_layout String,
+rdp_client_version String,
+rdp_client_name String,
+rdp_client_product_id String,
+rdp_desktop_width String,
+rdp_desktop_height String,
+rdp_requested_color_depth String,
+rdp_certificate_type String,
+rdp_certificate_count Nullable(Int32),
+rdp_certificate_permanent Nullable(Int32),
+rdp_encryption_level String,
+rdp_encryption_method String,
+ssh_version String,
+ssh_auth_success String,
+ssh_client_version String,
+ssh_server_version String,
+ssh_cipher_alg String,
+ssh_mac_alg String,
+ssh_compression_alg String,
+ssh_kex_alg String,
+ssh_host_key_alg String,
+ssh_host_key String,
+ssh_hassh String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+stratum_cryptocurrency String,
+stratum_mining_pools String,
+stratum_mining_program String,
+stratum_mining_subscribe String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,monitor_event_local,rand());
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.transaction_record_local on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+address_type Int32,
+vsys_id Int32,
+client_ip String,
+client_port Int32,
+server_ip String,
+server_port Int32,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,session_id,recv_time);
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.transaction_record on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 ,
+address_type Int32,
+vsys_id Int32,
+client_ip String,
+client_port Int32,
+server_ip String,
+server_port Int32,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+dns_message_id Nullable(Int32),
+dns_qr Nullable(Int32),
+dns_opcode Nullable(Int32),
+dns_aa Nullable(Int32),
+dns_tc Nullable(Int32),
+dns_rd Nullable(Int32),
+dns_ra Nullable(Int32),
+dns_rcode Nullable(Int32),
+dns_qdcount Nullable(Int32),
+dns_ancount Nullable(Int32),
+dns_nscount Nullable(Int32),
+dns_arcount Nullable(Int32),
+dns_qname String,
+dns_qtype Nullable(Int32),
+dns_qclass Nullable(Int32),
+dns_cname String,
+dns_sub Nullable(Int32),
+dns_rr String,
+dns_response_latency_ms Nullable(Int32),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+mail_protocol_type String,
+mail_account String,
+mail_from_cmd String,
+mail_to_cmd String,
+mail_from String,
+mail_password String,
+mail_to String,
+mail_cc String,
+mail_bcc String,
+mail_subject String,
+mail_subject_charset String,
+mail_attachment_name String,
+mail_attachment_name_charset String,
+mail_starttls_flag Nullable(Int32),
+mail_eml_file String,
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,transaction_record_local,rand());
+
+
+
+alter table tsg_galaxy_v3.session_record_local on cluster ck_cluster add INDEX IF NOT EXISTS client_index client_ip type bloom_filter(0.05) GRANULARITY 1;
+alter table tsg_galaxy_v3.transaction_record_local on cluster ck_cluster add INDEX IF NOT EXISTS client_index client_ip type bloom_filter(0.05) GRANULARITY 1;
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.voip_record_local on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+client_ip String,
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+server_ip String,
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+ip_protocol LowCardinality(String),
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,decoded_as,data_center, device_group,recv_time);
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.voip_record on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64,
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+client_ip String,
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+server_ip String,
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+ip_protocol LowCardinality(String),
+sip_call_id String,
+sip_originator_description String,
+sip_responder_description String,
+sip_user_agent String,
+sip_server String,
+sip_originator_sdp_connect_ip String,
+sip_originator_sdp_media_port Nullable(Int32),
+sip_originator_sdp_media_type String,
+sip_originator_sdp_content String,
+sip_responder_sdp_connect_ip String,
+sip_responder_sdp_media_port Nullable(Int32),
+sip_responder_sdp_media_type String,
+sip_responder_sdp_content String,
+sip_duration_s Nullable(Int32),
+sip_bye String,
+sip_bye_reason String,
+rtp_payload_type_c2s Nullable(Int32),
+rtp_payload_type_s2c Nullable(Int32),
+rtp_pcap_path String,
+rtp_originator_dir Nullable(Int32),
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,voip_record_local,rand());
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.proxy_event_local on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+doh_url String,
+doh_host String,
+doh_request_line String,
+doh_response_line String,
+doh_cookie String,
+doh_referer String,
+doh_user_agent String,
+doh_content_length String,
+doh_content_type String,
+doh_set_cookie String,
+doh_version String,
+doh_message_id Int64,
+doh_qr Nullable(Int64),
+doh_opcode Nullable(Int64),
+doh_aa Nullable(Int64),
+doh_tc Nullable(Int64),
+doh_rd Nullable(Int64),
+doh_ra Nullable(Int64),
+doh_rcode Nullable(Int64),
+doh_qdcount Nullable(Int64),
+doh_ancount Nullable(Int64),
+doh_nscount Nullable(Int64),
+doh_arcount Nullable(Int64),
+doh_qname String,
+doh_qtype Nullable(Int64),
+doh_qclass Nullable(Int64),
+doh_cname String,
+doh_sub Nullable(Int64),
+doh_rr String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,proxy_action,decoded_as,data_center, device_group,recv_time);
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.proxy_event on cluster ck_cluster (
+recv_time Int64,
+log_id UInt64,
+decoded_as String,
+session_id UInt64,
+start_timestamp_ms DateTime64(3),
+end_timestamp_ms DateTime64(3),
+duration_ms Int32,
+tcp_handshake_latency_ms Nullable(Int32),
+ingestion_time Int64,
+processing_time Int64,
+insert_time Int64,
+device_id String,
+out_link_id Nullable(Int32),
+in_link_id Nullable(Int32),
+device_tag String,
+data_center String,
+device_group String,
+sled_ip String,
+address_type Int32,
+direction String,
+vsys_id Int32,
+t_vsys_id Int32,
+flags Int64,
+flags_identify_info String,
+c2s_ttl Nullable(Int32),
+s2c_ttl Nullable(Int32),
+security_rule_list Array(Int64),
+security_rule_uuid_list Array(String),
+security_action String,
+monitor_rule_list Array(Int64),
+monitor_rule_uuid_list Array(String),
+shaping_rule_list Array(Int64),
+shaping_rule_uuid_list Array(String),
+proxy_rule_list Array(Int64),
+proxy_rule_uuid_list Array(String),
+statistics_rule_list Array(Int64),
+statistics_rule_uuid_list Array(String),
+sc_rule_list Array(Int64),
+sc_rule_uuid_list Array(String),
+sc_rsp_raw Array(Int64),
+sc_rsp_decrypted Array(Int64),
+proxy_action String,
+proxy_pinning_status Nullable(Int32),
+proxy_intercept_status Nullable(Int32),
+proxy_passthrough_reason String,
+proxy_client_side_latency_ms Nullable(Int32),
+proxy_server_side_latency_ms Nullable(Int32),
+proxy_client_side_version String,
+proxy_server_side_version String,
+proxy_cert_verify Nullable(Int32),
+proxy_intercept_error String,
+monitor_mirrored_pkts Nullable(Int32),
+monitor_mirrored_bytes Nullable(Int32),
+client_ip String,
+client_ip_tags Array(String),
+client_port Int32,
+client_os_desc String,
+client_geolocation LowCardinality(String),
+client_country String,
+client_super_administrative_area String,
+client_administrative_area String,
+client_sub_administrative_area String,
+client_asn Nullable(Int64),
+subscriber_id String,
+subscriber_id_hmac String,
+imei String,
+imsi String,
+phone_number String,
+phone_number_hmac String,
+apn String,
+mobile_identify String,
+server_ip String,
+server_ip_tags Array(String),
+server_port Int32,
+server_os_desc String,
+server_geolocation LowCardinality(String),
+server_country String,
+server_super_administrative_area String,
+server_administrative_area String,
+server_sub_administrative_area String,
+server_asn Nullable(Int64),
+server_fqdn String,
+server_fqdn_tags Array(String),
+server_domain String,
+app_transition String, 
+app LowCardinality(String),
+app_category String,
+app_debug_info String,
+app_content String,
+app_extra_info String,
+fqdn_category_list Array(Int64),
+ip_protocol LowCardinality(String),
+decoded_path LowCardinality(String),
+http_url String,
+http_host String,
+http_request_line String,
+http_response_line String,
+http_request_body String,
+http_response_body String,
+http_proxy_flag Nullable(Int32),
+http_sequence Nullable(Int32),
+http_cookie String,
+http_referer String,
+http_user_agent String,
+http_request_content_length Nullable(Int64),
+http_request_content_type String,
+http_response_content_length Nullable(Int64),
+http_response_content_type String,
+http_set_cookie String,
+http_version String,
+http_status_code Nullable(Int32),
+http_response_latency_ms Nullable(Int32),
+http_session_duration_ms Nullable(Int32),
+http_action_file_size Nullable(Int64),
+doh_url String,
+doh_host String,
+doh_request_line String,
+doh_response_line String,
+doh_cookie String,
+doh_referer String,
+doh_user_agent String,
+doh_content_length String,
+doh_content_type String,
+doh_set_cookie String,
+doh_version String,
+doh_message_id Int64,
+doh_qr Nullable(Int64),
+doh_opcode Nullable(Int64),
+doh_aa Nullable(Int64),
+doh_tc Nullable(Int64),
+doh_rd Nullable(Int64),
+doh_ra Nullable(Int64),
+doh_rcode Nullable(Int64),
+doh_qdcount Nullable(Int64),
+doh_ancount Nullable(Int64),
+doh_nscount Nullable(Int64),
+doh_arcount Nullable(Int64),
+doh_qname String,
+doh_qtype Nullable(Int64),
+doh_qclass Nullable(Int64),
+doh_cname String,
+doh_sub Nullable(Int64),
+doh_rr String,
+sent_pkts Int64,
+received_pkts Int64,
+sent_bytes Int64,
+received_bytes Int64,
+tcp_c2s_ip_fragments Nullable(Int64),
+tcp_s2c_ip_fragments Nullable(Int64),
+tcp_c2s_lost_bytes Nullable(Int64),
+tcp_s2c_lost_bytes Nullable(Int64),
+tcp_c2s_o3_pkts Nullable(Int64),
+tcp_s2c_o3_pkts Nullable(Int64),
+tcp_c2s_rtx_pkts Nullable(Int64),
+tcp_s2c_rtx_pkts Nullable(Int64),
+tcp_c2s_rtx_bytes Nullable(Int64),
+tcp_s2c_rtx_bytes Nullable(Int64),
+tcp_rtt_ms Nullable(Int32),
+tcp_client_isn Nullable(Int64),
+tcp_server_isn Nullable(Int64),
+packet_capture_file String,
+in_src_mac String,
+out_src_mac String,
+in_dest_mac String,
+out_dest_mac String,
+encapsulation String,
+dup_traffic_flag Nullable(Int32),
+tunnel_id_list Array(Int64),
+tunnel_uuid_list Array(String),
+tunnel_endpoint_a_desc String,
+tunnel_endpoint_b_desc String
+)
+ENGINE =Distributed(ck_cluster,tsg_galaxy_v3,proxy_event_local,rand());
+
+
+-- tsg_galaxy_v3.security_event_materialized_view
+CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.security_event_materialized_view on cluster ck_cluster 
+TO tsg_galaxy_v3.security_event_local
+(
+    recv_time Int64,
+    log_id UInt64,
+    decoded_as String,
+    session_id UInt64,
+    start_timestamp_ms DateTime64(3),
+    end_timestamp_ms DateTime64(3),
+    duration_ms Int32,
+    tcp_handshake_latency_ms Nullable(Int32),
+    ingestion_time Int64,
+    processing_time Int64,
+    -- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+    device_id String,
+    out_link_id Nullable(Int32),
+    in_link_id Nullable(Int32),
+    device_tag String,
+    data_center String,
+    device_group String,
+    sled_ip String,
+    address_type Int32,
+    direction String,
+    vsys_id Int32,
+    t_vsys_id Int32,
+    flags Int64,
+    flags_identify_info String,
+    c2s_ttl Nullable(Int32),
+    s2c_ttl Nullable(Int32),
+    security_rule_list Array(Int64),
+    security_rule_uuid_list Array(String),
+    security_action String,
+    monitor_rule_list Array(Int64),
+    monitor_rule_uuid_list Array(String),
+    shaping_rule_list Array(Int64),
+    shaping_rule_uuid_list Array(String),
+    proxy_rule_list Array(Int64),
+    proxy_rule_uuid_list Array(String),
+    statistics_rule_list Array(Int64),
+    statistics_rule_uuid_list Array(String),
+    sc_rule_list Array(Int64),
+    sc_rule_uuid_list Array(String),
+    sc_rsp_raw Array(Int64),
+    sc_rsp_decrypted Array(Int64),
+    proxy_action String,
+    proxy_pinning_status Nullable(Int32),
+    proxy_intercept_status Nullable(Int32),
+    proxy_passthrough_reason String,
+    proxy_client_side_latency_ms Nullable(Int32),
+    proxy_server_side_latency_ms Nullable(Int32),
+    proxy_client_side_version String,
+    proxy_server_side_version String,
+    proxy_cert_verify Nullable(Int32),
+    proxy_intercept_error String,
+    monitor_mirrored_pkts Nullable(Int32),
+    monitor_mirrored_bytes Nullable(Int32),
+    client_ip String,
+    client_ip_tags Array(String),
+    client_port Int32,
+    client_os_desc String,
+    client_geolocation LowCardinality(String),
+    client_country String,
+    client_super_administrative_area String,
+    client_administrative_area String,
+    client_sub_administrative_area String,
+    client_asn Nullable(Int64),
+    subscriber_id String,
+    subscriber_id_hmac String,
+    imei String,
+    imsi String,
+    phone_number String,
+    phone_number_hmac String,
+    apn String,
+    mobile_identify String,
+    server_ip String,
+    server_ip_tags Array(String),
+    server_port Int32,
+    server_os_desc String,
+    server_geolocation LowCardinality(String),
+    server_country String,
+    server_super_administrative_area String,
+    server_administrative_area String,
+    server_sub_administrative_area String,
+    server_asn Nullable(Int64),
+    server_fqdn String,
+    server_fqdn_tags Array(String),
+    server_domain String,
+    app_transition String, 
+    app LowCardinality(String),
+    app_category String,
+    app_debug_info String,
+    app_content String,
+    app_extra_info String,
+    fqdn_category_list Array(Int64),
+    ip_protocol LowCardinality(String),
+    decoded_path LowCardinality(String),
+    dns_message_id Nullable(Int32),
+    dns_qr Nullable(Int32),
+    dns_opcode Nullable(Int32),
+    dns_aa Nullable(Int32),
+    dns_tc Nullable(Int32),
+    dns_rd Nullable(Int32),
+    dns_ra Nullable(Int32),
+    dns_rcode Nullable(Int32),
+    dns_qdcount Nullable(Int32),
+    dns_ancount Nullable(Int32),
+    dns_nscount Nullable(Int32),
+    dns_arcount Nullable(Int32),
+    dns_qname String,
+    dns_qtype Nullable(Int32),
+    dns_qclass Nullable(Int32),
+    dns_cname String,
+    dns_sub Nullable(Int32),
+    dns_rr String,
+    dns_response_latency_ms Nullable(Int32),
+    http_url String,
+    http_host String,
+    http_request_line String,
+    http_response_line String,
+    http_request_body String,
+    http_response_body String,
+    http_proxy_flag Nullable(Int32),
+    http_sequence Nullable(Int32),
+    http_cookie String,
+    http_referer String,
+    http_user_agent String,
+    http_request_content_length Nullable(Int64),
+    http_request_content_type String,
+    http_response_content_length Nullable(Int64),
+    http_response_content_type String,
+    http_set_cookie String,
+    http_version String,
+    http_status_code Nullable(Int32),
+    http_response_latency_ms Nullable(Int32),
+    http_session_duration_ms Nullable(Int32),
+    http_action_file_size Nullable(Int64),
+    ssl_version String,
+    ssl_sni String,
+    ssl_san String,
+    ssl_cn String,
+    ssl_handshake_latency_ms Nullable(Int32),
+    ssl_ja3_hash String,
+    ssl_ja3s_hash String,
+    ssl_ja4_fingerprint String,
+    ssl_ja4s_fingerprint String,
+    ssl_cert_issuer String,
+    ssl_cert_subject String,
+    ssl_esni_flag Nullable(Int32),
+    ssl_ech_flag Nullable(Int32),
+    dtls_cookie String,
+    dtls_version  String,
+    dtls_sni String,
+    dtls_san String,
+    dtls_cn String,
+    dtls_handshake_latency_ms Nullable(Int32),
+    dtls_ja3_fingerprint String,
+    dtls_ja3_hash String,
+    dtls_cert_issuer String,
+    dtls_cert_subject String,
+    mail_protocol_type String,
+    mail_account String,
+    mail_from_cmd String,
+    mail_to_cmd String,
+    mail_from String,
+    mail_password String,
+    mail_to String,
+    mail_cc String,
+    mail_bcc String,
+    mail_subject String,
+    mail_subject_charset String,
+    mail_attachment_name String,
+    mail_attachment_name_charset String,
+    mail_starttls_flag Nullable(Int32),
+    mail_eml_file String,
+    ftp_account String,
+    ftp_url String,
+    ftp_link_type String,
+    quic_version String,
+    quic_sni String,
+    quic_user_agent String,
+    rdp_cookie String,
+    rdp_security_protocol String,
+    rdp_client_channels String,
+    rdp_keyboard_layout String,
+    rdp_client_version String,
+    rdp_client_name String,
+    rdp_client_product_id String,
+    rdp_desktop_width String,
+    rdp_desktop_height String,
+    rdp_requested_color_depth String,
+    rdp_certificate_type String,
+    rdp_certificate_count Nullable(Int32),
+    rdp_certificate_permanent Nullable(Int32),
+    rdp_encryption_level String,
+    rdp_encryption_method String,
+    ssh_version String,
+    ssh_auth_success String,
+    ssh_client_version String,
+    ssh_server_version String,
+    ssh_cipher_alg String,
+    ssh_mac_alg String,
+    ssh_compression_alg String,
+    ssh_kex_alg String,
+    ssh_host_key_alg String,
+    ssh_host_key String,
+    ssh_hassh String,
+    sip_call_id String,
+    sip_originator_description String,
+    sip_responder_description String,
+    sip_user_agent String,
+    sip_server String,
+    sip_originator_sdp_connect_ip String,
+    sip_originator_sdp_media_port Nullable(Int32),
+    sip_originator_sdp_media_type String,
+    sip_originator_sdp_content String,
+    sip_responder_sdp_connect_ip String,
+    sip_responder_sdp_media_port Nullable(Int32),
+    sip_responder_sdp_media_type String,
+    sip_responder_sdp_content String,
+    sip_duration_s Nullable(Int32),
+    sip_bye String,
+    sip_bye_reason String,
+    rtp_payload_type_c2s Nullable(Int32),
+    rtp_payload_type_s2c Nullable(Int32),
+    rtp_pcap_path String,
+    rtp_originator_dir Nullable(Int32),
+    stratum_cryptocurrency String,
+    stratum_mining_pools String,
+    stratum_mining_program String,
+    stratum_mining_subscribe String,
+    sent_pkts Int64,
+    received_pkts Int64,
+    sent_bytes Int64,
+    received_bytes Int64,
+    tcp_c2s_ip_fragments Nullable(Int64),
+    tcp_s2c_ip_fragments Nullable(Int64),
+    tcp_c2s_lost_bytes Nullable(Int64),
+    tcp_s2c_lost_bytes Nullable(Int64),
+    tcp_c2s_o3_pkts Nullable(Int64),
+    tcp_s2c_o3_pkts Nullable(Int64),
+    tcp_c2s_rtx_pkts Nullable(Int64),
+    tcp_s2c_rtx_pkts Nullable(Int64),
+    tcp_c2s_rtx_bytes Nullable(Int64),
+    tcp_s2c_rtx_bytes Nullable(Int64),
+    tcp_rtt_ms Nullable(Int32),
+    tcp_client_isn Nullable(Int64),
+    tcp_server_isn Nullable(Int64),
+    packet_capture_file String,
+    in_src_mac String,
+    out_src_mac String,
+    in_dest_mac String,
+    out_dest_mac String,
+    encapsulation String,
+    dup_traffic_flag Nullable(Int32),
+    tunnel_id_list Array(Int64),
+    tunnel_uuid_list Array(String),
+    tunnel_endpoint_a_desc String,
+    tunnel_endpoint_b_desc String
+) 
+AS
+SELECT
+    recv_time,
+    log_id,
+    decoded_as,
+    session_id,
+    start_timestamp_ms,
+    end_timestamp_ms,
+    duration_ms,
+    tcp_handshake_latency_ms,
+    ingestion_time,
+    processing_time,
+    -- insert_time,
+    device_id,
+    out_link_id,
+    in_link_id,
+    device_tag,
+    data_center,
+    device_group,
+    sled_ip,
+    address_type,
+    direction,
+    vsys_id,
+    t_vsys_id,
+    flags,
+    flags_identify_info,
+    c2s_ttl,
+    s2c_ttl,
+    security_rule_list,
+    security_rule_uuid_list,
+    security_action,
+    monitor_rule_list,
+    monitor_rule_uuid_list,
+    shaping_rule_list,
+    shaping_rule_uuid_list,
+    proxy_rule_list,
+    proxy_rule_uuid_list,
+    statistics_rule_list,
+    statistics_rule_uuid_list,
+    sc_rule_list,
+    sc_rule_uuid_list,
+    sc_rsp_raw,
+    sc_rsp_decrypted,
+    proxy_action,
+    proxy_pinning_status,
+    proxy_intercept_status,
+    proxy_passthrough_reason,
+    proxy_client_side_latency_ms,
+    proxy_server_side_latency_ms,
+    proxy_client_side_version,
+    proxy_server_side_version,
+    proxy_cert_verify,
+    proxy_intercept_error,
+    monitor_mirrored_pkts,
+    monitor_mirrored_bytes,
+    client_ip,
+    client_ip_tags,
+    client_port,
+    client_os_desc,
+    client_geolocation,
+    client_country,
+    client_super_administrative_area,
+    client_administrative_area,
+    client_sub_administrative_area,
+    client_asn,
+    subscriber_id,
+    subscriber_id_hmac,
+    imei,
+    imsi,
+    phone_number,
+    phone_number_hmac,
+    apn,
+    mobile_identify,
+    server_ip,
+    server_ip_tags,
+    server_port,
+    server_os_desc,
+    server_geolocation,
+    server_country,
+    server_super_administrative_area,
+    server_administrative_area,
+    server_sub_administrative_area,
+    server_asn,
+    server_fqdn,
+    server_fqdn_tags,
+    server_domain,
+    app_transition,
+    app,
+    app_category,
+    app_debug_info,
+    app_content,
+    app_extra_info,
+    fqdn_category_list,
+    ip_protocol,
+    decoded_path,
+    dns_message_id,
+    dns_qr,
+    dns_opcode,
+    dns_aa,
+    dns_tc,
+    dns_rd,
+    dns_ra,
+    dns_rcode,
+    dns_qdcount,
+    dns_ancount,
+    dns_nscount,
+    dns_arcount,
+    dns_qname,
+    dns_qtype,
+    dns_qclass,
+    dns_cname,
+    dns_sub,
+    dns_rr,
+    dns_response_latency_ms,
+    http_url,
+    http_host,
+    http_request_line,
+    http_response_line,
+    http_request_body,
+    http_response_body,
+    http_proxy_flag,
+    http_sequence,
+    http_cookie,
+    http_referer,
+    http_user_agent,
+    http_request_content_length,
+    http_request_content_type,
+    http_response_content_length,
+    http_response_content_type,
+    http_set_cookie,
+    http_version,
+    http_status_code,
+    http_response_latency_ms,
+    http_session_duration_ms,
+    http_action_file_size,
+    ssl_version,
+    ssl_sni,
+    ssl_san,
+    ssl_cn,
+    ssl_handshake_latency_ms,
+    ssl_ja3_hash,
+    ssl_ja3s_hash,
+    ssl_ja4_fingerprint,
+    ssl_ja4s_fingerprint,
+    ssl_cert_issuer,
+    ssl_cert_subject,
+    ssl_esni_flag,
+    ssl_ech_flag,
+    dtls_cookie,
+    dtls_version,
+    dtls_sni,
+    dtls_san,
+    dtls_cn,
+    dtls_handshake_latency_ms,
+    dtls_ja3_fingerprint,
+    dtls_ja3_hash,
+    dtls_cert_issuer,
+    dtls_cert_subject,
+    mail_protocol_type,
+    mail_account,
+    mail_from_cmd,
+    mail_to_cmd,
+    mail_from,
+    mail_password,
+    mail_to,
+    mail_cc,
+    mail_bcc,
+    mail_subject,
+    mail_subject_charset,
+    mail_attachment_name,
+    mail_attachment_name_charset,
+    mail_starttls_flag,
+    mail_eml_file,
+    ftp_account,
+    ftp_url,
+    ftp_link_type,
+    quic_version,
+    quic_sni,
+    quic_user_agent,
+    rdp_cookie,
+    rdp_security_protocol,
+    rdp_client_channels,
+    rdp_keyboard_layout,
+    rdp_client_version,
+    rdp_client_name,
+    rdp_client_product_id,
+    rdp_desktop_width,
+    rdp_desktop_height,
+    rdp_requested_color_depth,
+    rdp_certificate_type,
+    rdp_certificate_count,
+    rdp_certificate_permanent,
+    rdp_encryption_level,
+    rdp_encryption_method,
+    ssh_version,
+    ssh_auth_success,
+    ssh_client_version,
+    ssh_server_version,
+    ssh_cipher_alg,
+    ssh_mac_alg,
+    ssh_compression_alg,
+    ssh_kex_alg,
+    ssh_host_key_alg,
+    ssh_host_key,
+    ssh_hassh,
+    sip_call_id,
+    sip_originator_description,
+    sip_responder_description,
+    sip_user_agent,
+    sip_server,
+    sip_originator_sdp_connect_ip,
+    sip_originator_sdp_media_port,
+    sip_originator_sdp_media_type,
+    sip_originator_sdp_content,
+    sip_responder_sdp_connect_ip,
+    sip_responder_sdp_media_port,
+    sip_responder_sdp_media_type,
+    sip_responder_sdp_content,
+    sip_duration_s,
+    sip_bye,
+    sip_bye_reason,
+    rtp_payload_type_c2s,
+    rtp_payload_type_s2c,
+    rtp_pcap_path,
+    rtp_originator_dir,
+    stratum_cryptocurrency,
+    stratum_mining_pools,
+    stratum_mining_program,
+    stratum_mining_subscribe,
+    sent_pkts,
+    received_pkts,
+    sent_bytes,
+    received_bytes,
+    tcp_c2s_ip_fragments,
+    tcp_s2c_ip_fragments,
+    tcp_c2s_lost_bytes,
+    tcp_s2c_lost_bytes,
+    tcp_c2s_o3_pkts,
+    tcp_s2c_o3_pkts,
+    tcp_c2s_rtx_pkts,
+    tcp_s2c_rtx_pkts,
+    tcp_c2s_rtx_bytes,
+    tcp_s2c_rtx_bytes,
+    tcp_rtt_ms,
+    tcp_client_isn,
+    tcp_server_isn,
+    packet_capture_file,
+    in_src_mac,
+    out_src_mac,
+    in_dest_mac,
+    out_dest_mac,
+    encapsulation,
+    dup_traffic_flag,
+    tunnel_id_list,
+    tunnel_uuid_list,
+    tunnel_endpoint_a_desc,
+    tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.session_record_local
+WHERE notEmpty(security_rule_uuid_list)
+;
+
+-- tsg_galaxy_v3.monitor_event_materialized_view
+CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.monitor_event_materialized_view on cluster ck_cluster 
+TO tsg_galaxy_v3.monitor_event_local
+(
+    recv_time Int64,
+    log_id UInt64,
+    decoded_as String,
+    session_id UInt64,
+    start_timestamp_ms DateTime64(3),
+    end_timestamp_ms DateTime64(3),
+    duration_ms Int32,
+    tcp_handshake_latency_ms Nullable(Int32),
+    ingestion_time Int64,
+    processing_time Int64,
+    -- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+    device_id String,
+    out_link_id Nullable(Int32),
+    in_link_id Nullable(Int32),
+    device_tag String,
+    data_center String,
+    device_group String,
+    sled_ip String,
+    address_type Int32,
+    direction String,
+    vsys_id Int32,
+    t_vsys_id Int32,
+    flags Int64,
+    flags_identify_info String,
+    c2s_ttl Nullable(Int32),
+    s2c_ttl Nullable(Int32),
+    security_rule_list Array(Int64),
+    security_rule_uuid_list Array(String),
+    security_action String,
+    monitor_rule_list Array(Int64),
+    monitor_rule_uuid_list Array(String),
+    shaping_rule_list Array(Int64),
+    shaping_rule_uuid_list Array(String),
+    proxy_rule_list Array(Int64),
+    proxy_rule_uuid_list Array(String),
+    statistics_rule_list Array(Int64),
+    statistics_rule_uuid_list Array(String),
+    sc_rule_list Array(Int64),
+    sc_rule_uuid_list Array(String),
+    sc_rsp_raw Array(Int64),
+    sc_rsp_decrypted Array(Int64),
+    proxy_action String,
+    proxy_pinning_status Nullable(Int32),
+    proxy_intercept_status Nullable(Int32),
+    proxy_passthrough_reason String,
+    proxy_client_side_latency_ms Nullable(Int32),
+    proxy_server_side_latency_ms Nullable(Int32),
+    proxy_client_side_version String,
+    proxy_server_side_version String,
+    proxy_cert_verify Nullable(Int32),
+    proxy_intercept_error String,
+    monitor_mirrored_pkts Nullable(Int32),
+    monitor_mirrored_bytes Nullable(Int32),
+    client_ip String,
+    client_ip_tags Array(String),
+    client_port Int32,
+    client_os_desc String,
+    client_geolocation LowCardinality(String),
+    client_country String,
+    client_super_administrative_area String,
+    client_administrative_area String,
+    client_sub_administrative_area String,
+    client_asn Nullable(Int64),
+    subscriber_id String,
+    subscriber_id_hmac String,
+    imei String,
+    imsi String,
+    phone_number String,
+    phone_number_hmac String,
+    apn String,
+    mobile_identify String,
+    server_ip String,
+    server_ip_tags Array(String),
+    server_port Int32,
+    server_os_desc String,
+    server_geolocation LowCardinality(String),
+    server_country String,
+    server_super_administrative_area String,
+    server_administrative_area String,
+    server_sub_administrative_area String,
+    server_asn Nullable(Int64),
+    server_fqdn String,
+    server_fqdn_tags Array(String),
+    server_domain String,
+    app_transition String, 
+    app LowCardinality(String),
+    app_category String,
+    app_debug_info String,
+    app_content String,
+    app_extra_info String,
+    fqdn_category_list Array(Int64),
+    ip_protocol LowCardinality(String),
+    decoded_path LowCardinality(String),
+    dns_message_id Nullable(Int32),
+    dns_qr Nullable(Int32),
+    dns_opcode Nullable(Int32),
+    dns_aa Nullable(Int32),
+    dns_tc Nullable(Int32),
+    dns_rd Nullable(Int32),
+    dns_ra Nullable(Int32),
+    dns_rcode Nullable(Int32),
+    dns_qdcount Nullable(Int32),
+    dns_ancount Nullable(Int32),
+    dns_nscount Nullable(Int32),
+    dns_arcount Nullable(Int32),
+    dns_qname String,
+    dns_qtype Nullable(Int32),
+    dns_qclass Nullable(Int32),
+    dns_cname String,
+    dns_sub Nullable(Int32),
+    dns_rr String,
+    dns_response_latency_ms Nullable(Int32),
+    http_url String,
+    http_host String,
+    http_request_line String,
+    http_response_line String,
+    http_request_body String,
+    http_response_body String,
+    http_proxy_flag Nullable(Int32),
+    http_sequence Nullable(Int32),
+    http_cookie String,
+    http_referer String,
+    http_user_agent String,
+    http_request_content_length Nullable(Int64),
+    http_request_content_type String,
+    http_response_content_length Nullable(Int64),
+    http_response_content_type String,
+    http_set_cookie String,
+    http_version String,
+    http_status_code Nullable(Int32),
+    http_response_latency_ms Nullable(Int32),
+    http_session_duration_ms Nullable(Int32),
+    http_action_file_size Nullable(Int64),
+    ssl_version String,
+    ssl_sni String,
+    ssl_san String,
+    ssl_cn String,
+    ssl_handshake_latency_ms Nullable(Int32),
+    ssl_ja3_hash String,
+    ssl_ja3s_hash String,
+    ssl_ja4_fingerprint String,
+    ssl_ja4s_fingerprint String,
+    ssl_cert_issuer String,
+    ssl_cert_subject String,
+    ssl_esni_flag Nullable(Int32),
+    ssl_ech_flag Nullable(Int32),
+    dtls_cookie String,
+    dtls_version  String,
+    dtls_sni String,
+    dtls_san String,
+    dtls_cn String,
+    dtls_handshake_latency_ms Nullable(Int32),
+    dtls_ja3_fingerprint String,
+    dtls_ja3_hash String,
+    dtls_cert_issuer String,
+    dtls_cert_subject String,
+    mail_protocol_type String,
+    mail_account String,
+    mail_from_cmd String,
+    mail_to_cmd String,
+    mail_from String,
+    mail_password String,
+    mail_to String,
+    mail_cc String,
+    mail_bcc String,
+    mail_subject String,
+    mail_subject_charset String,
+    mail_attachment_name String,
+    mail_attachment_name_charset String,
+    mail_starttls_flag Nullable(Int32),
+    mail_eml_file String,
+    ftp_account String,
+    ftp_url String,
+    ftp_link_type String,
+    quic_version String,
+    quic_sni String,
+    quic_user_agent String,
+    rdp_cookie String,
+    rdp_security_protocol String,
+    rdp_client_channels String,
+    rdp_keyboard_layout String,
+    rdp_client_version String,
+    rdp_client_name String,
+    rdp_client_product_id String,
+    rdp_desktop_width String,
+    rdp_desktop_height String,
+    rdp_requested_color_depth String,
+    rdp_certificate_type String,
+    rdp_certificate_count Nullable(Int32),
+    rdp_certificate_permanent Nullable(Int32),
+    rdp_encryption_level String,
+    rdp_encryption_method String,
+    ssh_version String,
+    ssh_auth_success String,
+    ssh_client_version String,
+    ssh_server_version String,
+    ssh_cipher_alg String,
+    ssh_mac_alg String,
+    ssh_compression_alg String,
+    ssh_kex_alg String,
+    ssh_host_key_alg String,
+    ssh_host_key String,
+    ssh_hassh String,
+    sip_call_id String,
+    sip_originator_description String,
+    sip_responder_description String,
+    sip_user_agent String,
+    sip_server String,
+    sip_originator_sdp_connect_ip String,
+    sip_originator_sdp_media_port Nullable(Int32),
+    sip_originator_sdp_media_type String,
+    sip_originator_sdp_content String,
+    sip_responder_sdp_connect_ip String,
+    sip_responder_sdp_media_port Nullable(Int32),
+    sip_responder_sdp_media_type String,
+    sip_responder_sdp_content String,
+    sip_duration_s Nullable(Int32),
+    sip_bye String,
+    sip_bye_reason String,
+    rtp_payload_type_c2s Nullable(Int32),
+    rtp_payload_type_s2c Nullable(Int32),
+    rtp_pcap_path String,
+    rtp_originator_dir Nullable(Int32),
+    stratum_cryptocurrency String,
+    stratum_mining_pools String,
+    stratum_mining_program String,
+    stratum_mining_subscribe String,
+    sent_pkts Int64,
+    received_pkts Int64,
+    sent_bytes Int64,
+    received_bytes Int64,
+    tcp_c2s_ip_fragments Nullable(Int64),
+    tcp_s2c_ip_fragments Nullable(Int64),
+    tcp_c2s_lost_bytes Nullable(Int64),
+    tcp_s2c_lost_bytes Nullable(Int64),
+    tcp_c2s_o3_pkts Nullable(Int64),
+    tcp_s2c_o3_pkts Nullable(Int64),
+    tcp_c2s_rtx_pkts Nullable(Int64),
+    tcp_s2c_rtx_pkts Nullable(Int64),
+    tcp_c2s_rtx_bytes Nullable(Int64),
+    tcp_s2c_rtx_bytes Nullable(Int64),
+    tcp_rtt_ms Nullable(Int32),
+    tcp_client_isn Nullable(Int64),
+    tcp_server_isn Nullable(Int64),
+    packet_capture_file String,
+    in_src_mac String,
+    out_src_mac String,
+    in_dest_mac String,
+    out_dest_mac String,
+    encapsulation String,
+    dup_traffic_flag Nullable(Int32),
+    tunnel_id_list Array(Int64),
+    tunnel_uuid_list Array(String),
+    tunnel_endpoint_a_desc String,
+    tunnel_endpoint_b_desc String
+) 
+AS
+SELECT
+    recv_time,
+    log_id,
+    decoded_as,
+    session_id,
+    start_timestamp_ms,
+    end_timestamp_ms,
+    duration_ms,
+    tcp_handshake_latency_ms,
+    ingestion_time,
+    processing_time,
+    -- insert_time,
+    device_id,
+    out_link_id,
+    in_link_id,
+    device_tag,
+    data_center,
+    device_group,
+    sled_ip,
+    address_type,
+    direction,
+    vsys_id,
+    t_vsys_id,
+    flags,
+    flags_identify_info,
+    c2s_ttl,
+    s2c_ttl,
+    security_rule_list,
+    security_rule_uuid_list,
+    security_action,
+    monitor_rule_list,
+    monitor_rule_uuid_list,
+    shaping_rule_list,
+    shaping_rule_uuid_list,
+    proxy_rule_list,
+    proxy_rule_uuid_list,
+    statistics_rule_list,
+    statistics_rule_uuid_list,
+    sc_rule_list,
+    sc_rule_uuid_list,
+    sc_rsp_raw,
+    sc_rsp_decrypted,
+    proxy_action,
+    proxy_pinning_status,
+    proxy_intercept_status,
+    proxy_passthrough_reason,
+    proxy_client_side_latency_ms,
+    proxy_server_side_latency_ms,
+    proxy_client_side_version,
+    proxy_server_side_version,
+    proxy_cert_verify,
+    proxy_intercept_error,
+    monitor_mirrored_pkts,
+    monitor_mirrored_bytes,
+    client_ip,
+    client_ip_tags,
+    client_port,
+    client_os_desc,
+    client_geolocation,
+    client_country,
+    client_super_administrative_area,
+    client_administrative_area,
+    client_sub_administrative_area,
+    client_asn,
+    subscriber_id,
+    subscriber_id_hmac,
+    imei,
+    imsi,
+    phone_number,
+    phone_number_hmac,
+    apn,
+    mobile_identify,
+    server_ip,
+    server_ip_tags,
+    server_port,
+    server_os_desc,
+    server_geolocation,
+    server_country,
+    server_super_administrative_area,
+    server_administrative_area,
+    server_sub_administrative_area,
+    server_asn,
+    server_fqdn,
+    server_fqdn_tags,
+    server_domain,
+    app_transition,
+    app,
+    app_category,
+    app_debug_info,
+    app_content,
+    app_extra_info,
+    fqdn_category_list,
+    ip_protocol,
+    decoded_path,
+    dns_message_id,
+    dns_qr,
+    dns_opcode,
+    dns_aa,
+    dns_tc,
+    dns_rd,
+    dns_ra,
+    dns_rcode,
+    dns_qdcount,
+    dns_ancount,
+    dns_nscount,
+    dns_arcount,
+    dns_qname,
+    dns_qtype,
+    dns_qclass,
+    dns_cname,
+    dns_sub,
+    dns_rr,
+    dns_response_latency_ms,
+    http_url,
+    http_host,
+    http_request_line,
+    http_response_line,
+    http_request_body,
+    http_response_body,
+    http_proxy_flag,
+    http_sequence,
+    http_cookie,
+    http_referer,
+    http_user_agent,
+    http_request_content_length,
+    http_request_content_type,
+    http_response_content_length,
+    http_response_content_type,
+    http_set_cookie,
+    http_version,
+    http_status_code,
+    http_response_latency_ms,
+    http_session_duration_ms,
+    http_action_file_size,
+    ssl_version,
+    ssl_sni,
+    ssl_san,
+    ssl_cn,
+    ssl_handshake_latency_ms,
+    ssl_ja3_hash,
+    ssl_ja3s_hash,
+    ssl_ja4_fingerprint,
+    ssl_ja4s_fingerprint,
+    ssl_cert_issuer,
+    ssl_cert_subject,
+    ssl_esni_flag,
+    ssl_ech_flag,
+    dtls_cookie,
+    dtls_version,
+    dtls_sni,
+    dtls_san,
+    dtls_cn,
+    dtls_handshake_latency_ms,
+    dtls_ja3_fingerprint,
+    dtls_ja3_hash,
+    dtls_cert_issuer,
+    dtls_cert_subject,
+    mail_protocol_type,
+    mail_account,
+    mail_from_cmd,
+    mail_to_cmd,
+    mail_from,
+    mail_password,
+    mail_to,
+    mail_cc,
+    mail_bcc,
+    mail_subject,
+    mail_subject_charset,
+    mail_attachment_name,
+    mail_attachment_name_charset,
+    mail_starttls_flag,
+    mail_eml_file,
+    ftp_account,
+    ftp_url,
+    ftp_link_type,
+    quic_version,
+    quic_sni,
+    quic_user_agent,
+    rdp_cookie,
+    rdp_security_protocol,
+    rdp_client_channels,
+    rdp_keyboard_layout,
+    rdp_client_version,
+    rdp_client_name,
+    rdp_client_product_id,
+    rdp_desktop_width,
+    rdp_desktop_height,
+    rdp_requested_color_depth,
+    rdp_certificate_type,
+    rdp_certificate_count,
+    rdp_certificate_permanent,
+    rdp_encryption_level,
+    rdp_encryption_method,
+    ssh_version,
+    ssh_auth_success,
+    ssh_client_version,
+    ssh_server_version,
+    ssh_cipher_alg,
+    ssh_mac_alg,
+    ssh_compression_alg,
+    ssh_kex_alg,
+    ssh_host_key_alg,
+    ssh_host_key,
+    ssh_hassh,
+    sip_call_id,
+    sip_originator_description,
+    sip_responder_description,
+    sip_user_agent,
+    sip_server,
+    sip_originator_sdp_connect_ip,
+    sip_originator_sdp_media_port,
+    sip_originator_sdp_media_type,
+    sip_originator_sdp_content,
+    sip_responder_sdp_connect_ip,
+    sip_responder_sdp_media_port,
+    sip_responder_sdp_media_type,
+    sip_responder_sdp_content,
+    sip_duration_s,
+    sip_bye,
+    sip_bye_reason,
+    rtp_payload_type_c2s,
+    rtp_payload_type_s2c,
+    rtp_pcap_path,
+    rtp_originator_dir,
+    stratum_cryptocurrency,
+    stratum_mining_pools,
+    stratum_mining_program,
+    stratum_mining_subscribe,
+    sent_pkts,
+    received_pkts,
+    sent_bytes,
+    received_bytes,
+    tcp_c2s_ip_fragments,
+    tcp_s2c_ip_fragments,
+    tcp_c2s_lost_bytes,
+    tcp_s2c_lost_bytes,
+    tcp_c2s_o3_pkts,
+    tcp_s2c_o3_pkts,
+    tcp_c2s_rtx_pkts,
+    tcp_s2c_rtx_pkts,
+    tcp_c2s_rtx_bytes,
+    tcp_s2c_rtx_bytes,
+    tcp_rtt_ms,
+    tcp_client_isn,
+    tcp_server_isn,
+    packet_capture_file,
+    in_src_mac,
+    out_src_mac,
+    in_dest_mac,
+    out_dest_mac,
+    encapsulation,
+    dup_traffic_flag,
+    tunnel_id_list,
+    tunnel_uuid_list,
+    tunnel_endpoint_a_desc,
+    tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.session_record_local
+WHERE notEmpty(monitor_rule_uuid_list)
+;
+
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.datapath_telemetry_record_local on cluster ck_cluster (
+    log_id UInt64,
+    recv_time Int64,
+    vsys_id Int32,
+    timestamp_us UInt64,
+    egress_action Int32,
+    job_id String,
+    sled_ip String,
+    device_group String,
+    traffic_link_id Int32,
+    source_ip String,
+    source_port Nullable(Int32),
+    destination_ip String,
+    destination_port Nullable(Int32),
+    packet String,
+    packet_length Int32,
+    measurements String
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,job_id,recv_time,timestamp_us);
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.datapath_telemetry_record on cluster ck_cluster (
+    log_id UInt64,
+    recv_time Int64,
+    vsys_id Int32,
+    timestamp_us UInt64,
+    egress_action Int32,
+    job_id String,
+    sled_ip String,
+    device_group String,
+    traffic_link_id Int32,
+    source_ip String,
+    source_port Nullable(Int32),
+    destination_ip String,
+    destination_port Nullable(Int32),
+    packet String,
+    packet_length Int32,
+    measurements String
+)
+ENGINE = Distributed('ck_cluster',
+ 'tsg_galaxy_v3',
+ 'datapath_telemetry_record_local',
+ rand());
+
+CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.traffic_sketch_metric_local on cluster ck_cluster
+(
+    log_id UInt64,
+    recv_time Int64,
+    vsys_id Int64,
+    device_id String,
+    device_group String,
+    data_center String,
+    direction String,
+    ip_protocol String,
+    client_ip String,
+    server_ip String,
+    internal_ip String,
+    external_ip String,
+    client_country String,
+    server_country String,
+    client_asn Nullable(Int64),
+    server_asn Nullable(Int64),
+    server_fqdn String,
+    server_domain String,
+    app String,
+    app_category String,
+    c2s_ttl Nullable(Int32),
+    s2c_ttl Nullable(Int32),
+    c2s_link_id Nullable(Int32),
+    s2c_link_id Nullable(Int32),
+    sessions Int64,
+    bytes Int64,
+    sent_bytes Int64,
+    received_bytes Int64,
+    pkts Int64,
+    sent_pkts Int64,
+    received_pkts Int64,
+    asymmetric_c2s_flows Int64,
+    asymmetric_s2c_flows Int64,
+    c2s_fragments Int64,
+    s2c_fragments Int64,
+    c2s_tcp_lost_bytes Int64,
+    s2c_tcp_lost_bytes Int64,
+    c2s_tcp_retransmitted_pkts Int64,
+    s2c_tcp_retransmitted_pkts Int64
+)
+ENGINE = MergeTree
+PARTITION BY toYYYYMMDD(toDate(recv_time))
+ORDER BY (vsys_id,
+ direction,
+ ip_protocol,
+ app,
+ client_ip,
+ recv_time);
+ 
+ CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.traffic_sketch_metric on cluster ck_cluster
+(
+    log_id UInt64,
+    recv_time Int64,
+    vsys_id Int64,
+    device_id String,
+    device_group String,
+    data_center String,
+    direction String,
+    ip_protocol String,
+    client_ip String,
+    server_ip String,
+    internal_ip String,
+    external_ip String,
+    client_country String,
+    server_country String,
+    client_asn Nullable(Int64),
+    server_asn Nullable(Int64),
+    server_fqdn String,
+    server_domain String,
+    app String,
+    app_category String,
+    c2s_ttl Nullable(Int32),
+    s2c_ttl Nullable(Int32),
+    c2s_link_id Nullable(Int32),
+    s2c_link_id Nullable(Int32),
+    sessions Int64,
+    bytes Int64,
+    sent_bytes Int64,
+    received_bytes Int64,
+    pkts Int64,
+    sent_pkts Int64,
+    received_pkts Int64,
+    asymmetric_c2s_flows Int64,
+    asymmetric_s2c_flows Int64,
+    c2s_fragments Int64,
+    s2c_fragments Int64,
+    c2s_tcp_lost_bytes Int64,
+    s2c_tcp_lost_bytes Int64,
+    c2s_tcp_retransmitted_pkts Int64,
+    s2c_tcp_retransmitted_pkts Int64
+)
+ENGINE = Distributed('ck_cluster',
+ 'tsg_galaxy_v3',
+ 'traffic_sketch_metric_local',
+ rand());
\ No newline at end of file
diff --git a/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_check_24.11.sql b/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_check_24.11.sql
new file mode 100644
index 0000000..577dffc
--- /dev/null
+++ b/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_check_24.11.sql
@@ -0,0 +1,23 @@
+SELECT log_id, recv_time, vsys_id, assessment_date, lot_number, file_name, assessment_file, assessment_type, features, `size`, file_checksum_sha
+FROM tsg_galaxy_v3.assessment_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT vsys_id, recv_time, log_id, rule_id, rule_uuid, start_time, end_time, attack_type, severity, conditions, destination_ip, destination_country, source_ip, source_country, sessions, session_rate, packets, packet_rate, bytes, bit_rate
+FROM tsg_galaxy_v3.dos_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.monitor_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, doh_url, doh_host, doh_request_line, doh_response_line, doh_cookie, doh_referer, doh_user_agent, doh_content_length, doh_content_type, doh_set_cookie, doh_version, doh_message_id, doh_qr, doh_opcode, doh_aa, doh_tc, doh_rd, doh_ra, doh_rcode, doh_qdcount, doh_ancount, doh_nscount, doh_arcount, doh_qname, doh_qtype, doh_qclass, doh_cname, doh_sub, doh_rr, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.proxy_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.security_event where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, c2s_ttl, s2c_ttl, security_rule_list, security_rule_uuid_list, security_action, monitor_rule_list, monitor_rule_uuid_list, shaping_rule_list, shaping_rule_uuid_list, proxy_rule_list, proxy_rule_uuid_list, statistics_rule_list, statistics_rule_uuid_list, sc_rule_list, sc_rule_uuid_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_ip_tags, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, subscriber_id, subscriber_id_hmac, imei, imsi, phone_number, phone_number_hmac, apn, mobile_identify, server_ip, server_ip_tags, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, server_fqdn, server_fqdn_tags, server_domain, app_transition, app, app_category, app_debug_info, app_content, app_extra_info, fqdn_category_list, ip_protocol, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_ja4_fingerprint, ssl_ja4s_fingerprint, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, encapsulation, dup_traffic_flag, tunnel_id_list, tunnel_uuid_list, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.session_record where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT recv_time, log_id, decoded_as, session_id, ingestion_time, processing_time, insert_time, address_type, vsys_id, client_ip, client_port, server_ip, server_port, sent_pkts, received_pkts, sent_bytes, received_bytes, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_starttls_flag, mail_eml_file, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason
+FROM tsg_galaxy_v3.transaction_record where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, direction, vsys_id, t_vsys_id, flags, flags_identify_info, client_ip, client_port, client_os_desc, client_geolocation, client_country, client_super_administrative_area, client_administrative_area, client_sub_administrative_area, client_asn, server_ip, server_port, server_os_desc, server_geolocation, server_country, server_super_administrative_area, server_administrative_area, server_sub_administrative_area, server_asn, ip_protocol, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, sip_bye_reason, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, sent_pkts, received_pkts, sent_bytes, received_bytes
+FROM tsg_galaxy_v3.voip_record where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT log_id, recv_time, vsys_id, timestamp_us, egress_action, job_id, sled_ip, device_group, traffic_link_id, source_ip, source_port, destination_ip, destination_port, packet, packet_length, measurements
+FROM tsg_galaxy_v3.datapath_telemetry_record where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+SELECT log_id, recv_time, vsys_id, device_id, device_group, data_center, direction, ip_protocol, client_ip, server_ip, internal_ip, external_ip, client_country, server_country, client_asn, server_asn, server_fqdn, server_domain, app, app_category, c2s_ttl, s2c_ttl, c2s_link_id, s2c_link_id, sessions, bytes, sent_bytes, received_bytes, pkts, sent_pkts, received_pkts, asymmetric_c2s_flows, asymmetric_s2c_flows, c2s_fragments, s2c_fragments, c2s_tcp_lost_bytes, s2c_tcp_lost_bytes, c2s_tcp_retransmitted_pkts, s2c_tcp_retransmitted_pkts
+FROM tsg_galaxy_v3.traffic_sketch_metric where recv_time >= toUnixTimestamp('2030-01-01 00:00:00') AND recv_time <toUnixTimestamp('2030-01-01 00:00:01');
+
+
+    
\ No newline at end of file
diff --git a/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_upgrade_24.11.sql b/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_upgrade_24.11.sql
new file mode 100644
index 0000000..37037b6
--- /dev/null
+++ b/tsg_olap/upgrade/TSG-24.11/clickhouse/tsg_olap_clickhouse_ddl_upgrade_24.11.sql
@@ -0,0 +1,1073 @@
+drop view if exists tsg_galaxy_v3.security_event_materialized_view on cluster ck_cluster;
+drop view if exists tsg_galaxy_v3.monitor_event_materialized_view on cluster ck_cluster;
+
+
+-- TSG-23367 Clickhouse新增公共字段subscriber_id_hmac, phone_number_hmac
+
+ALTER table tsg_galaxy_v3.session_record_local on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+ALTER table tsg_galaxy_v3.session_record on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+
+ALTER table tsg_galaxy_v3.security_event_local on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+ALTER table tsg_galaxy_v3.security_event on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+
+ALTER table tsg_galaxy_v3.monitor_event_local on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+ALTER table tsg_galaxy_v3.monitor_event on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+
+ALTER table tsg_galaxy_v3.proxy_event_local on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+ALTER table tsg_galaxy_v3.proxy_event on cluster ck_cluster add column IF NOT EXISTS subscriber_id_hmac String after subscriber_id;
+
+
+ALTER table tsg_galaxy_v3.session_record_local on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+ALTER table tsg_galaxy_v3.session_record on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+
+ALTER table tsg_galaxy_v3.security_event_local on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+ALTER table tsg_galaxy_v3.security_event on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+
+ALTER table tsg_galaxy_v3.monitor_event_local on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+ALTER table tsg_galaxy_v3.monitor_event on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+
+ALTER table tsg_galaxy_v3.proxy_event_local on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+ALTER table tsg_galaxy_v3.proxy_event on cluster ck_cluster add column IF NOT EXISTS phone_number_hmac String after phone_number;
+
+
+-- tsg_galaxy_v3.security_event_materialized_view
+CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.security_event_materialized_view on cluster ck_cluster 
+TO tsg_galaxy_v3.security_event_local
+(
+    recv_time Int64,
+    log_id UInt64,
+    decoded_as String,
+    session_id UInt64,
+    start_timestamp_ms DateTime64(3),
+    end_timestamp_ms DateTime64(3),
+    duration_ms Int32,
+    tcp_handshake_latency_ms Nullable(Int32),
+    ingestion_time Int64,
+    processing_time Int64,
+    -- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+    device_id String,
+    out_link_id Nullable(Int32),
+    in_link_id Nullable(Int32),
+    device_tag String,
+    data_center String,
+    device_group String,
+    sled_ip String,
+    address_type Int32,
+    direction String,
+    vsys_id Int32,
+    t_vsys_id Int32,
+    flags Int64,
+    flags_identify_info String,
+    c2s_ttl Nullable(Int32),
+    s2c_ttl Nullable(Int32),
+    security_rule_list Array(Int64),
+    security_rule_uuid_list Array(String),
+    security_action String,
+    monitor_rule_list Array(Int64),
+    monitor_rule_uuid_list Array(String),
+    shaping_rule_list Array(Int64),
+    shaping_rule_uuid_list Array(String),
+    proxy_rule_list Array(Int64),
+    proxy_rule_uuid_list Array(String),
+    statistics_rule_list Array(Int64),
+    statistics_rule_uuid_list Array(String),
+    sc_rule_list Array(Int64),
+    sc_rule_uuid_list Array(String),
+    sc_rsp_raw Array(Int64),
+    sc_rsp_decrypted Array(Int64),
+    proxy_action String,
+    proxy_pinning_status Nullable(Int32),
+    proxy_intercept_status Nullable(Int32),
+    proxy_passthrough_reason String,
+    proxy_client_side_latency_ms Nullable(Int32),
+    proxy_server_side_latency_ms Nullable(Int32),
+    proxy_client_side_version String,
+    proxy_server_side_version String,
+    proxy_cert_verify Nullable(Int32),
+    proxy_intercept_error String,
+    monitor_mirrored_pkts Nullable(Int32),
+    monitor_mirrored_bytes Nullable(Int32),
+    client_ip String,
+    client_ip_tags Array(String),
+    client_port Int32,
+    client_os_desc String,
+    client_geolocation LowCardinality(String),
+    client_country String,
+    client_super_administrative_area String,
+    client_administrative_area String,
+    client_sub_administrative_area String,
+    client_asn Nullable(Int64),
+    subscriber_id String,
+    subscriber_id_hmac String,
+    imei String,
+    imsi String,
+    phone_number String,
+    phone_number_hmac String,
+    apn String,
+    mobile_identify String,
+    server_ip String,
+    server_ip_tags Array(String),
+    server_port Int32,
+    server_os_desc String,
+    server_geolocation LowCardinality(String),
+    server_country String,
+    server_super_administrative_area String,
+    server_administrative_area String,
+    server_sub_administrative_area String,
+    server_asn Nullable(Int64),
+    server_fqdn String,
+    server_fqdn_tags Array(String),
+    server_domain String,
+    app_transition String, 
+    app LowCardinality(String),
+    app_category String,
+    app_debug_info String,
+    app_content String,
+    app_extra_info String,
+    fqdn_category_list Array(Int64),
+    ip_protocol LowCardinality(String),
+    decoded_path LowCardinality(String),
+    dns_message_id Nullable(Int32),
+    dns_qr Nullable(Int32),
+    dns_opcode Nullable(Int32),
+    dns_aa Nullable(Int32),
+    dns_tc Nullable(Int32),
+    dns_rd Nullable(Int32),
+    dns_ra Nullable(Int32),
+    dns_rcode Nullable(Int32),
+    dns_qdcount Nullable(Int32),
+    dns_ancount Nullable(Int32),
+    dns_nscount Nullable(Int32),
+    dns_arcount Nullable(Int32),
+    dns_qname String,
+    dns_qtype Nullable(Int32),
+    dns_qclass Nullable(Int32),
+    dns_cname String,
+    dns_sub Nullable(Int32),
+    dns_rr String,
+    dns_response_latency_ms Nullable(Int32),
+    http_url String,
+    http_host String,
+    http_request_line String,
+    http_response_line String,
+    http_request_body String,
+    http_response_body String,
+    http_proxy_flag Nullable(Int32),
+    http_sequence Nullable(Int32),
+    http_cookie String,
+    http_referer String,
+    http_user_agent String,
+    http_request_content_length Nullable(Int64),
+    http_request_content_type String,
+    http_response_content_length Nullable(Int64),
+    http_response_content_type String,
+    http_set_cookie String,
+    http_version String,
+    http_status_code Nullable(Int32),
+    http_response_latency_ms Nullable(Int32),
+    http_session_duration_ms Nullable(Int32),
+    http_action_file_size Nullable(Int64),
+    ssl_version String,
+    ssl_sni String,
+    ssl_san String,
+    ssl_cn String,
+    ssl_handshake_latency_ms Nullable(Int32),
+    ssl_ja3_hash String,
+    ssl_ja3s_hash String,
+    ssl_ja4_fingerprint String,
+    ssl_ja4s_fingerprint String,
+    ssl_cert_issuer String,
+    ssl_cert_subject String,
+    ssl_esni_flag Nullable(Int32),
+    ssl_ech_flag Nullable(Int32),
+    dtls_cookie String,
+    dtls_version  String,
+    dtls_sni String,
+    dtls_san String,
+    dtls_cn String,
+    dtls_handshake_latency_ms Nullable(Int32),
+    dtls_ja3_fingerprint String,
+    dtls_ja3_hash String,
+    dtls_cert_issuer String,
+    dtls_cert_subject String,
+    mail_protocol_type String,
+    mail_account String,
+    mail_from_cmd String,
+    mail_to_cmd String,
+    mail_from String,
+    mail_password String,
+    mail_to String,
+    mail_cc String,
+    mail_bcc String,
+    mail_subject String,
+    mail_subject_charset String,
+    mail_attachment_name String,
+    mail_attachment_name_charset String,
+    mail_starttls_flag Nullable(Int32),
+    mail_eml_file String,
+    ftp_account String,
+    ftp_url String,
+    ftp_link_type String,
+    quic_version String,
+    quic_sni String,
+    quic_user_agent String,
+    rdp_cookie String,
+    rdp_security_protocol String,
+    rdp_client_channels String,
+    rdp_keyboard_layout String,
+    rdp_client_version String,
+    rdp_client_name String,
+    rdp_client_product_id String,
+    rdp_desktop_width String,
+    rdp_desktop_height String,
+    rdp_requested_color_depth String,
+    rdp_certificate_type String,
+    rdp_certificate_count Nullable(Int32),
+    rdp_certificate_permanent Nullable(Int32),
+    rdp_encryption_level String,
+    rdp_encryption_method String,
+    ssh_version String,
+    ssh_auth_success String,
+    ssh_client_version String,
+    ssh_server_version String,
+    ssh_cipher_alg String,
+    ssh_mac_alg String,
+    ssh_compression_alg String,
+    ssh_kex_alg String,
+    ssh_host_key_alg String,
+    ssh_host_key String,
+    ssh_hassh String,
+    sip_call_id String,
+    sip_originator_description String,
+    sip_responder_description String,
+    sip_user_agent String,
+    sip_server String,
+    sip_originator_sdp_connect_ip String,
+    sip_originator_sdp_media_port Nullable(Int32),
+    sip_originator_sdp_media_type String,
+    sip_originator_sdp_content String,
+    sip_responder_sdp_connect_ip String,
+    sip_responder_sdp_media_port Nullable(Int32),
+    sip_responder_sdp_media_type String,
+    sip_responder_sdp_content String,
+    sip_duration_s Nullable(Int32),
+    sip_bye String,
+    sip_bye_reason String,
+    rtp_payload_type_c2s Nullable(Int32),
+    rtp_payload_type_s2c Nullable(Int32),
+    rtp_pcap_path String,
+    rtp_originator_dir Nullable(Int32),
+    stratum_cryptocurrency String,
+    stratum_mining_pools String,
+    stratum_mining_program String,
+    stratum_mining_subscribe String,
+    sent_pkts Int64,
+    received_pkts Int64,
+    sent_bytes Int64,
+    received_bytes Int64,
+    tcp_c2s_ip_fragments Nullable(Int64),
+    tcp_s2c_ip_fragments Nullable(Int64),
+    tcp_c2s_lost_bytes Nullable(Int64),
+    tcp_s2c_lost_bytes Nullable(Int64),
+    tcp_c2s_o3_pkts Nullable(Int64),
+    tcp_s2c_o3_pkts Nullable(Int64),
+    tcp_c2s_rtx_pkts Nullable(Int64),
+    tcp_s2c_rtx_pkts Nullable(Int64),
+    tcp_c2s_rtx_bytes Nullable(Int64),
+    tcp_s2c_rtx_bytes Nullable(Int64),
+    tcp_rtt_ms Nullable(Int32),
+    tcp_client_isn Nullable(Int64),
+    tcp_server_isn Nullable(Int64),
+    packet_capture_file String,
+    in_src_mac String,
+    out_src_mac String,
+    in_dest_mac String,
+    out_dest_mac String,
+    encapsulation String,
+    dup_traffic_flag Nullable(Int32),
+    tunnel_id_list Array(Int64),
+    tunnel_uuid_list Array(String),
+    tunnel_endpoint_a_desc String,
+    tunnel_endpoint_b_desc String
+) 
+AS
+SELECT
+    recv_time,
+    log_id,
+    decoded_as,
+    session_id,
+    start_timestamp_ms,
+    end_timestamp_ms,
+    duration_ms,
+    tcp_handshake_latency_ms,
+    ingestion_time,
+    processing_time,
+    -- insert_time,
+    device_id,
+    out_link_id,
+    in_link_id,
+    device_tag,
+    data_center,
+    device_group,
+    sled_ip,
+    address_type,
+    direction,
+    vsys_id,
+    t_vsys_id,
+    flags,
+    flags_identify_info,
+    c2s_ttl,
+    s2c_ttl,
+    security_rule_list,
+    security_rule_uuid_list,
+    security_action,
+    monitor_rule_list,
+    monitor_rule_uuid_list,
+    shaping_rule_list,
+    shaping_rule_uuid_list,
+    proxy_rule_list,
+    proxy_rule_uuid_list,
+    statistics_rule_list,
+    statistics_rule_uuid_list,
+    sc_rule_list,
+    sc_rule_uuid_list,
+    sc_rsp_raw,
+    sc_rsp_decrypted,
+    proxy_action,
+    proxy_pinning_status,
+    proxy_intercept_status,
+    proxy_passthrough_reason,
+    proxy_client_side_latency_ms,
+    proxy_server_side_latency_ms,
+    proxy_client_side_version,
+    proxy_server_side_version,
+    proxy_cert_verify,
+    proxy_intercept_error,
+    monitor_mirrored_pkts,
+    monitor_mirrored_bytes,
+    client_ip,
+    client_ip_tags,
+    client_port,
+    client_os_desc,
+    client_geolocation,
+    client_country,
+    client_super_administrative_area,
+    client_administrative_area,
+    client_sub_administrative_area,
+    client_asn,
+    subscriber_id,
+    subscriber_id_hmac,
+    imei,
+    imsi,
+    phone_number,
+    phone_number_hmac,
+    apn,
+    mobile_identify,
+    server_ip,
+    server_ip_tags,
+    server_port,
+    server_os_desc,
+    server_geolocation,
+    server_country,
+    server_super_administrative_area,
+    server_administrative_area,
+    server_sub_administrative_area,
+    server_asn,
+    server_fqdn,
+    server_fqdn_tags,
+    server_domain,
+    app_transition,
+    app,
+    app_category,
+    app_debug_info,
+    app_content,
+    app_extra_info,
+    fqdn_category_list,
+    ip_protocol,
+    decoded_path,
+    dns_message_id,
+    dns_qr,
+    dns_opcode,
+    dns_aa,
+    dns_tc,
+    dns_rd,
+    dns_ra,
+    dns_rcode,
+    dns_qdcount,
+    dns_ancount,
+    dns_nscount,
+    dns_arcount,
+    dns_qname,
+    dns_qtype,
+    dns_qclass,
+    dns_cname,
+    dns_sub,
+    dns_rr,
+    dns_response_latency_ms,
+    http_url,
+    http_host,
+    http_request_line,
+    http_response_line,
+    http_request_body,
+    http_response_body,
+    http_proxy_flag,
+    http_sequence,
+    http_cookie,
+    http_referer,
+    http_user_agent,
+    http_request_content_length,
+    http_request_content_type,
+    http_response_content_length,
+    http_response_content_type,
+    http_set_cookie,
+    http_version,
+    http_status_code,
+    http_response_latency_ms,
+    http_session_duration_ms,
+    http_action_file_size,
+    ssl_version,
+    ssl_sni,
+    ssl_san,
+    ssl_cn,
+    ssl_handshake_latency_ms,
+    ssl_ja3_hash,
+    ssl_ja3s_hash,
+    ssl_ja4_fingerprint,
+    ssl_ja4s_fingerprint,
+    ssl_cert_issuer,
+    ssl_cert_subject,
+    ssl_esni_flag,
+    ssl_ech_flag,
+    dtls_cookie,
+    dtls_version,
+    dtls_sni,
+    dtls_san,
+    dtls_cn,
+    dtls_handshake_latency_ms,
+    dtls_ja3_fingerprint,
+    dtls_ja3_hash,
+    dtls_cert_issuer,
+    dtls_cert_subject,
+    mail_protocol_type,
+    mail_account,
+    mail_from_cmd,
+    mail_to_cmd,
+    mail_from,
+    mail_password,
+    mail_to,
+    mail_cc,
+    mail_bcc,
+    mail_subject,
+    mail_subject_charset,
+    mail_attachment_name,
+    mail_attachment_name_charset,
+    mail_starttls_flag,
+    mail_eml_file,
+    ftp_account,
+    ftp_url,
+    ftp_link_type,
+    quic_version,
+    quic_sni,
+    quic_user_agent,
+    rdp_cookie,
+    rdp_security_protocol,
+    rdp_client_channels,
+    rdp_keyboard_layout,
+    rdp_client_version,
+    rdp_client_name,
+    rdp_client_product_id,
+    rdp_desktop_width,
+    rdp_desktop_height,
+    rdp_requested_color_depth,
+    rdp_certificate_type,
+    rdp_certificate_count,
+    rdp_certificate_permanent,
+    rdp_encryption_level,
+    rdp_encryption_method,
+    ssh_version,
+    ssh_auth_success,
+    ssh_client_version,
+    ssh_server_version,
+    ssh_cipher_alg,
+    ssh_mac_alg,
+    ssh_compression_alg,
+    ssh_kex_alg,
+    ssh_host_key_alg,
+    ssh_host_key,
+    ssh_hassh,
+    sip_call_id,
+    sip_originator_description,
+    sip_responder_description,
+    sip_user_agent,
+    sip_server,
+    sip_originator_sdp_connect_ip,
+    sip_originator_sdp_media_port,
+    sip_originator_sdp_media_type,
+    sip_originator_sdp_content,
+    sip_responder_sdp_connect_ip,
+    sip_responder_sdp_media_port,
+    sip_responder_sdp_media_type,
+    sip_responder_sdp_content,
+    sip_duration_s,
+    sip_bye,
+    sip_bye_reason,
+    rtp_payload_type_c2s,
+    rtp_payload_type_s2c,
+    rtp_pcap_path,
+    rtp_originator_dir,
+    stratum_cryptocurrency,
+    stratum_mining_pools,
+    stratum_mining_program,
+    stratum_mining_subscribe,
+    sent_pkts,
+    received_pkts,
+    sent_bytes,
+    received_bytes,
+    tcp_c2s_ip_fragments,
+    tcp_s2c_ip_fragments,
+    tcp_c2s_lost_bytes,
+    tcp_s2c_lost_bytes,
+    tcp_c2s_o3_pkts,
+    tcp_s2c_o3_pkts,
+    tcp_c2s_rtx_pkts,
+    tcp_s2c_rtx_pkts,
+    tcp_c2s_rtx_bytes,
+    tcp_s2c_rtx_bytes,
+    tcp_rtt_ms,
+    tcp_client_isn,
+    tcp_server_isn,
+    packet_capture_file,
+    in_src_mac,
+    out_src_mac,
+    in_dest_mac,
+    out_dest_mac,
+    encapsulation,
+    dup_traffic_flag,
+    tunnel_id_list,
+    tunnel_uuid_list,
+    tunnel_endpoint_a_desc,
+    tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.session_record_local
+WHERE notEmpty(security_rule_uuid_list)
+;
+
+-- tsg_galaxy_v3.monitor_event_materialized_view
+CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.monitor_event_materialized_view on cluster ck_cluster 
+TO tsg_galaxy_v3.monitor_event_local
+(
+    recv_time Int64,
+    log_id UInt64,
+    decoded_as String,
+    session_id UInt64,
+    start_timestamp_ms DateTime64(3),
+    end_timestamp_ms DateTime64(3),
+    duration_ms Int32,
+    tcp_handshake_latency_ms Nullable(Int32),
+    ingestion_time Int64,
+    processing_time Int64,
+    -- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
+    device_id String,
+    out_link_id Nullable(Int32),
+    in_link_id Nullable(Int32),
+    device_tag String,
+    data_center String,
+    device_group String,
+    sled_ip String,
+    address_type Int32,
+    direction String,
+    vsys_id Int32,
+    t_vsys_id Int32,
+    flags Int64,
+    flags_identify_info String,
+    c2s_ttl Nullable(Int32),
+    s2c_ttl Nullable(Int32),
+    security_rule_list Array(Int64),
+    security_rule_uuid_list Array(String),
+    security_action String,
+    monitor_rule_list Array(Int64),
+    monitor_rule_uuid_list Array(String),
+    shaping_rule_list Array(Int64),
+    shaping_rule_uuid_list Array(String),
+    proxy_rule_list Array(Int64),
+    proxy_rule_uuid_list Array(String),
+    statistics_rule_list Array(Int64),
+    statistics_rule_uuid_list Array(String),
+    sc_rule_list Array(Int64),
+    sc_rule_uuid_list Array(String),
+    sc_rsp_raw Array(Int64),
+    sc_rsp_decrypted Array(Int64),
+    proxy_action String,
+    proxy_pinning_status Nullable(Int32),
+    proxy_intercept_status Nullable(Int32),
+    proxy_passthrough_reason String,
+    proxy_client_side_latency_ms Nullable(Int32),
+    proxy_server_side_latency_ms Nullable(Int32),
+    proxy_client_side_version String,
+    proxy_server_side_version String,
+    proxy_cert_verify Nullable(Int32),
+    proxy_intercept_error String,
+    monitor_mirrored_pkts Nullable(Int32),
+    monitor_mirrored_bytes Nullable(Int32),
+    client_ip String,
+    client_ip_tags Array(String),
+    client_port Int32,
+    client_os_desc String,
+    client_geolocation LowCardinality(String),
+    client_country String,
+    client_super_administrative_area String,
+    client_administrative_area String,
+    client_sub_administrative_area String,
+    client_asn Nullable(Int64),
+    subscriber_id String,
+    subscriber_id_hmac String,
+    imei String,
+    imsi String,
+    phone_number String,
+    phone_number_hmac String,
+    apn String,
+    mobile_identify String,
+    server_ip String,
+    server_ip_tags Array(String),
+    server_port Int32,
+    server_os_desc String,
+    server_geolocation LowCardinality(String),
+    server_country String,
+    server_super_administrative_area String,
+    server_administrative_area String,
+    server_sub_administrative_area String,
+    server_asn Nullable(Int64),
+    server_fqdn String,
+    server_fqdn_tags Array(String),
+    server_domain String,
+    app_transition String, 
+    app LowCardinality(String),
+    app_category String,
+    app_debug_info String,
+    app_content String,
+    app_extra_info String,
+    fqdn_category_list Array(Int64),
+    ip_protocol LowCardinality(String),
+    decoded_path LowCardinality(String),
+    dns_message_id Nullable(Int32),
+    dns_qr Nullable(Int32),
+    dns_opcode Nullable(Int32),
+    dns_aa Nullable(Int32),
+    dns_tc Nullable(Int32),
+    dns_rd Nullable(Int32),
+    dns_ra Nullable(Int32),
+    dns_rcode Nullable(Int32),
+    dns_qdcount Nullable(Int32),
+    dns_ancount Nullable(Int32),
+    dns_nscount Nullable(Int32),
+    dns_arcount Nullable(Int32),
+    dns_qname String,
+    dns_qtype Nullable(Int32),
+    dns_qclass Nullable(Int32),
+    dns_cname String,
+    dns_sub Nullable(Int32),
+    dns_rr String,
+    dns_response_latency_ms Nullable(Int32),
+    http_url String,
+    http_host String,
+    http_request_line String,
+    http_response_line String,
+    http_request_body String,
+    http_response_body String,
+    http_proxy_flag Nullable(Int32),
+    http_sequence Nullable(Int32),
+    http_cookie String,
+    http_referer String,
+    http_user_agent String,
+    http_request_content_length Nullable(Int64),
+    http_request_content_type String,
+    http_response_content_length Nullable(Int64),
+    http_response_content_type String,
+    http_set_cookie String,
+    http_version String,
+    http_status_code Nullable(Int32),
+    http_response_latency_ms Nullable(Int32),
+    http_session_duration_ms Nullable(Int32),
+    http_action_file_size Nullable(Int64),
+    ssl_version String,
+    ssl_sni String,
+    ssl_san String,
+    ssl_cn String,
+    ssl_handshake_latency_ms Nullable(Int32),
+    ssl_ja3_hash String,
+    ssl_ja3s_hash String,
+    ssl_ja4_fingerprint String,
+    ssl_ja4s_fingerprint String,
+    ssl_cert_issuer String,
+    ssl_cert_subject String,
+    ssl_esni_flag Nullable(Int32),
+    ssl_ech_flag Nullable(Int32),
+    dtls_cookie String,
+    dtls_version  String,
+    dtls_sni String,
+    dtls_san String,
+    dtls_cn String,
+    dtls_handshake_latency_ms Nullable(Int32),
+    dtls_ja3_fingerprint String,
+    dtls_ja3_hash String,
+    dtls_cert_issuer String,
+    dtls_cert_subject String,
+    mail_protocol_type String,
+    mail_account String,
+    mail_from_cmd String,
+    mail_to_cmd String,
+    mail_from String,
+    mail_password String,
+    mail_to String,
+    mail_cc String,
+    mail_bcc String,
+    mail_subject String,
+    mail_subject_charset String,
+    mail_attachment_name String,
+    mail_attachment_name_charset String,
+    mail_starttls_flag Nullable(Int32),
+    mail_eml_file String,
+    ftp_account String,
+    ftp_url String,
+    ftp_link_type String,
+    quic_version String,
+    quic_sni String,
+    quic_user_agent String,
+    rdp_cookie String,
+    rdp_security_protocol String,
+    rdp_client_channels String,
+    rdp_keyboard_layout String,
+    rdp_client_version String,
+    rdp_client_name String,
+    rdp_client_product_id String,
+    rdp_desktop_width String,
+    rdp_desktop_height String,
+    rdp_requested_color_depth String,
+    rdp_certificate_type String,
+    rdp_certificate_count Nullable(Int32),
+    rdp_certificate_permanent Nullable(Int32),
+    rdp_encryption_level String,
+    rdp_encryption_method String,
+    ssh_version String,
+    ssh_auth_success String,
+    ssh_client_version String,
+    ssh_server_version String,
+    ssh_cipher_alg String,
+    ssh_mac_alg String,
+    ssh_compression_alg String,
+    ssh_kex_alg String,
+    ssh_host_key_alg String,
+    ssh_host_key String,
+    ssh_hassh String,
+    sip_call_id String,
+    sip_originator_description String,
+    sip_responder_description String,
+    sip_user_agent String,
+    sip_server String,
+    sip_originator_sdp_connect_ip String,
+    sip_originator_sdp_media_port Nullable(Int32),
+    sip_originator_sdp_media_type String,
+    sip_originator_sdp_content String,
+    sip_responder_sdp_connect_ip String,
+    sip_responder_sdp_media_port Nullable(Int32),
+    sip_responder_sdp_media_type String,
+    sip_responder_sdp_content String,
+    sip_duration_s Nullable(Int32),
+    sip_bye String,
+    sip_bye_reason String,
+    rtp_payload_type_c2s Nullable(Int32),
+    rtp_payload_type_s2c Nullable(Int32),
+    rtp_pcap_path String,
+    rtp_originator_dir Nullable(Int32),
+    stratum_cryptocurrency String,
+    stratum_mining_pools String,
+    stratum_mining_program String,
+    stratum_mining_subscribe String,
+    sent_pkts Int64,
+    received_pkts Int64,
+    sent_bytes Int64,
+    received_bytes Int64,
+    tcp_c2s_ip_fragments Nullable(Int64),
+    tcp_s2c_ip_fragments Nullable(Int64),
+    tcp_c2s_lost_bytes Nullable(Int64),
+    tcp_s2c_lost_bytes Nullable(Int64),
+    tcp_c2s_o3_pkts Nullable(Int64),
+    tcp_s2c_o3_pkts Nullable(Int64),
+    tcp_c2s_rtx_pkts Nullable(Int64),
+    tcp_s2c_rtx_pkts Nullable(Int64),
+    tcp_c2s_rtx_bytes Nullable(Int64),
+    tcp_s2c_rtx_bytes Nullable(Int64),
+    tcp_rtt_ms Nullable(Int32),
+    tcp_client_isn Nullable(Int64),
+    tcp_server_isn Nullable(Int64),
+    packet_capture_file String,
+    in_src_mac String,
+    out_src_mac String,
+    in_dest_mac String,
+    out_dest_mac String,
+    encapsulation String,
+    dup_traffic_flag Nullable(Int32),
+    tunnel_id_list Array(Int64),
+    tunnel_uuid_list Array(String),
+    tunnel_endpoint_a_desc String,
+    tunnel_endpoint_b_desc String
+) 
+AS
+SELECT
+    recv_time,
+    log_id,
+    decoded_as,
+    session_id,
+    start_timestamp_ms,
+    end_timestamp_ms,
+    duration_ms,
+    tcp_handshake_latency_ms,
+    ingestion_time,
+    processing_time,
+    -- insert_time,
+    device_id,
+    out_link_id,
+    in_link_id,
+    device_tag,
+    data_center,
+    device_group,
+    sled_ip,
+    address_type,
+    direction,
+    vsys_id,
+    t_vsys_id,
+    flags,
+    flags_identify_info,
+    c2s_ttl,
+    s2c_ttl,
+    security_rule_list,
+    security_rule_uuid_list,
+    security_action,
+    monitor_rule_list,
+    monitor_rule_uuid_list,
+    shaping_rule_list,
+    shaping_rule_uuid_list,
+    proxy_rule_list,
+    proxy_rule_uuid_list,
+    statistics_rule_list,
+    statistics_rule_uuid_list,
+    sc_rule_list,
+    sc_rule_uuid_list,
+    sc_rsp_raw,
+    sc_rsp_decrypted,
+    proxy_action,
+    proxy_pinning_status,
+    proxy_intercept_status,
+    proxy_passthrough_reason,
+    proxy_client_side_latency_ms,
+    proxy_server_side_latency_ms,
+    proxy_client_side_version,
+    proxy_server_side_version,
+    proxy_cert_verify,
+    proxy_intercept_error,
+    monitor_mirrored_pkts,
+    monitor_mirrored_bytes,
+    client_ip,
+    client_ip_tags,
+    client_port,
+    client_os_desc,
+    client_geolocation,
+    client_country,
+    client_super_administrative_area,
+    client_administrative_area,
+    client_sub_administrative_area,
+    client_asn,
+    subscriber_id,
+    subscriber_id_hmac,
+    imei,
+    imsi,
+    phone_number,
+    phone_number_hmac,
+    apn,
+    mobile_identify,
+    server_ip,
+    server_ip_tags,
+    server_port,
+    server_os_desc,
+    server_geolocation,
+    server_country,
+    server_super_administrative_area,
+    server_administrative_area,
+    server_sub_administrative_area,
+    server_asn,
+    server_fqdn,
+    server_fqdn_tags,
+    server_domain,
+    app_transition,
+    app,
+    app_category,
+    app_debug_info,
+    app_content,
+    app_extra_info,
+    fqdn_category_list,
+    ip_protocol,
+    decoded_path,
+    dns_message_id,
+    dns_qr,
+    dns_opcode,
+    dns_aa,
+    dns_tc,
+    dns_rd,
+    dns_ra,
+    dns_rcode,
+    dns_qdcount,
+    dns_ancount,
+    dns_nscount,
+    dns_arcount,
+    dns_qname,
+    dns_qtype,
+    dns_qclass,
+    dns_cname,
+    dns_sub,
+    dns_rr,
+    dns_response_latency_ms,
+    http_url,
+    http_host,
+    http_request_line,
+    http_response_line,
+    http_request_body,
+    http_response_body,
+    http_proxy_flag,
+    http_sequence,
+    http_cookie,
+    http_referer,
+    http_user_agent,
+    http_request_content_length,
+    http_request_content_type,
+    http_response_content_length,
+    http_response_content_type,
+    http_set_cookie,
+    http_version,
+    http_status_code,
+    http_response_latency_ms,
+    http_session_duration_ms,
+    http_action_file_size,
+    ssl_version,
+    ssl_sni,
+    ssl_san,
+    ssl_cn,
+    ssl_handshake_latency_ms,
+    ssl_ja3_hash,
+    ssl_ja3s_hash,
+    ssl_ja4_fingerprint,
+    ssl_ja4s_fingerprint,
+    ssl_cert_issuer,
+    ssl_cert_subject,
+    ssl_esni_flag,
+    ssl_ech_flag,
+    dtls_cookie,
+    dtls_version,
+    dtls_sni,
+    dtls_san,
+    dtls_cn,
+    dtls_handshake_latency_ms,
+    dtls_ja3_fingerprint,
+    dtls_ja3_hash,
+    dtls_cert_issuer,
+    dtls_cert_subject,
+    mail_protocol_type,
+    mail_account,
+    mail_from_cmd,
+    mail_to_cmd,
+    mail_from,
+    mail_password,
+    mail_to,
+    mail_cc,
+    mail_bcc,
+    mail_subject,
+    mail_subject_charset,
+    mail_attachment_name,
+    mail_attachment_name_charset,
+    mail_starttls_flag,
+    mail_eml_file,
+    ftp_account,
+    ftp_url,
+    ftp_link_type,
+    quic_version,
+    quic_sni,
+    quic_user_agent,
+    rdp_cookie,
+    rdp_security_protocol,
+    rdp_client_channels,
+    rdp_keyboard_layout,
+    rdp_client_version,
+    rdp_client_name,
+    rdp_client_product_id,
+    rdp_desktop_width,
+    rdp_desktop_height,
+    rdp_requested_color_depth,
+    rdp_certificate_type,
+    rdp_certificate_count,
+    rdp_certificate_permanent,
+    rdp_encryption_level,
+    rdp_encryption_method,
+    ssh_version,
+    ssh_auth_success,
+    ssh_client_version,
+    ssh_server_version,
+    ssh_cipher_alg,
+    ssh_mac_alg,
+    ssh_compression_alg,
+    ssh_kex_alg,
+    ssh_host_key_alg,
+    ssh_host_key,
+    ssh_hassh,
+    sip_call_id,
+    sip_originator_description,
+    sip_responder_description,
+    sip_user_agent,
+    sip_server,
+    sip_originator_sdp_connect_ip,
+    sip_originator_sdp_media_port,
+    sip_originator_sdp_media_type,
+    sip_originator_sdp_content,
+    sip_responder_sdp_connect_ip,
+    sip_responder_sdp_media_port,
+    sip_responder_sdp_media_type,
+    sip_responder_sdp_content,
+    sip_duration_s,
+    sip_bye,
+    sip_bye_reason,
+    rtp_payload_type_c2s,
+    rtp_payload_type_s2c,
+    rtp_pcap_path,
+    rtp_originator_dir,
+    stratum_cryptocurrency,
+    stratum_mining_pools,
+    stratum_mining_program,
+    stratum_mining_subscribe,
+    sent_pkts,
+    received_pkts,
+    sent_bytes,
+    received_bytes,
+    tcp_c2s_ip_fragments,
+    tcp_s2c_ip_fragments,
+    tcp_c2s_lost_bytes,
+    tcp_s2c_lost_bytes,
+    tcp_c2s_o3_pkts,
+    tcp_s2c_o3_pkts,
+    tcp_c2s_rtx_pkts,
+    tcp_s2c_rtx_pkts,
+    tcp_c2s_rtx_bytes,
+    tcp_s2c_rtx_bytes,
+    tcp_rtt_ms,
+    tcp_client_isn,
+    tcp_server_isn,
+    packet_capture_file,
+    in_src_mac,
+    out_src_mac,
+    in_dest_mac,
+    out_dest_mac,
+    encapsulation,
+    dup_traffic_flag,
+    tunnel_id_list,
+    tunnel_uuid_list,
+    tunnel_endpoint_a_desc,
+    tunnel_endpoint_b_desc
+FROM tsg_galaxy_v3.session_record_local
+WHERE notEmpty(monitor_rule_uuid_list)
+;