"raw":"{\n \"statement\" : \"select count(*) as events from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4)\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select min(duration) min_sec,median(duration) as median_sec,round(avg(duration),2) as avg_sec,round(QUANTILE(duration,0.8),2) as p80_sec,round(QUANTILE(duration,0.95),2) as p95_sec,round(QUANTILE(duration,0.99),2) as p99_sec,max(duration) as MAX from ( select (insert_time - ingestion_time) as duration FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') )\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select min(duration) min_sec, median(duration) as median_sec, round(avg(duration),2) as avg_sec,round(QUANTILE(duration,0.8),2) as P80_sec, round(QUANTILE(duration,0.95),2) as P95_sec, round(QUANTILE(duration,0.99),2) as P99_sec, max(duration) as max_sec from ( select (toUnixTimestamp64Milli(end_timestamp_ms)-toUnixTimestamp64Milli(start_timestamp_ms))/1000 as duration FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') )\" , \"exec_mode\":\"oneshot\",\"output_mode\":\"json\"\n}",
"raw":"{\n \"statement\" : \"select security_action as action, count(*) as hits, sum(sent_bytes ) as bytes_sent, sum(received_bytes ) as bytes_received, sum(sent_bytes+received_bytes ) as bytes,sum(sent_pkts ) as packets_sent, sum(received_pkts ) as packets_received, sum(sent_pkts+received_pkts ) as packets from security_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) group by security_action\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')) as stat_time, 'shunt' as type, sum(hit_count) as events from security_rule_hits where __time >= FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and action=128 and vsys_id in (1,2,3,4) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')),'shunt' union all select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')) as stat_time, 'allow' as type, sum(hit_count) as events from security_rule_hits where __time >= FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and action=96 and vsys_id in (1,2,3,4) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')),'allow' union all select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')) as stat_time, 'deny' as type, sum(hit_count) as events from security_rule_hits where __time >= FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and action=16 and vsys_id in (1,2,3,4) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')),'deny' union all select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')) as stat_time, 'monitor' as type, sum(hit_count) as events from security_rule_hits where __time >= FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and action=1 and vsys_id in (1,2,3,4) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')),'monitor' union all select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')) as stat_time, 'intercept' as type, sum(hit_count) as events from security_rule_hits where __time >= FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and action=2 and vsys_id in (1,2,3,4) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT1M')), 'intercept'\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT5M','zero')) as stat_time, security_action as type, count(*) as events from security_event where recv_time > FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and vsys_id in (1,2,3,4) group by stat_time, security_action order by stat_time asc\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select count(*) as events from security_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4,5)\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select * from (select 'Session Records' as type, from_unixtime(min(recv_time) ) as first_time, from_unixtime(max(recv_time) ) as last_time from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') union all select 'Transaction Records' as type, from_unixtime(min(recv_time) ) as first_time, from_unixtime(max(recv_time) ) as last_time from transaction_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') union all select 'Security Event' as type, from_unixtime(min(recv_time) ) as first_time, from_unixtime(max(recv_time) ) as last_time from security_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') union all select 'Proxy Event' as type, from_unixtime(min(recv_time) ) as first_time, from_unixtime(max(recv_time) ) as last_time from proxy_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') union all select 'Monitor Events' as type, from_unixtime(min(recv_time) ) as first_time, from_unixtime(max(recv_time) ) as last_time from monitor_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') ) order by type\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select 'Session Record' as type, round(count(*)/300,0) as \\\"logs/sec\\\", round(avg(processing_time-ingestion_time),2) as \\\"avg_etl_latency(s)\\\", round(avg(insert_time-ingestion_time),2) as \\\"avg_insert_latency(s)\\\" from session_record crl where recv_time >= UNIX_TIMESTAMP({{Last 5 Minutes Start}}) and recv_time < UNIX_TIMESTAMP({{now}}) union all select 'Transaction Record' as type, round(count(*)/300,0) as \\\"logs/sec\\\", round(avg(processing_time-ingestion_time),2) as \\\"etl_latency(s)\\\", round(avg(insert_time-ingestion_time),2) as \\\"avg_insert_latency(s)\\\" from transaction_record crl where recv_time >= UNIX_TIMESTAMP({{Last 5 Minutes Start}}) and recv_time < UNIX_TIMESTAMP({{now}}) union all select 'Security Event' as type, round(count(*)/300,0) as \\\"logs/sec\\\", round(avg(processing_time-ingestion_time),2) as \\\"avg_etl_latency(s)\\\", round(avg(insert_time-ingestion_time),2) as \\\"avg_insert_latency(s)\\\" from security_event crl where recv_time >= UNIX_TIMESTAMP({{Last 5 Minutes Start}}) and recv_time < UNIX_TIMESTAMP({{now}})\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(received_bytes)* 8 / 300 as trafficReceivedBits, sum(sent_bytes)* 8 / 300 as trafficSentBits, sum(received_bytes + sent_bytes)* 8 / 300 as trafficTotalBits, sum(received_pkts)/ 300 as trafficReceivedPackets, sum(sent_pkts)/ 300 as trafficSentPackets, sum(received_pkts + sent_pkts)/ 300 as trafficTotalPackets, count(1)/ 300 as sessions from session_record where recv_time >= UNIX_TIMESTAMP(now())-300 and vsys_id in (1,2,3,4,5,6,7,8)\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT5M','zero')) as stat_time, decoded_as as type, count(1) as sessions, sum(sent_bytes + received_bytes) as bytes, sum(sent_pkts + received_pkts) as packets from session_record where recv_time > FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and vsys_id in (1,2,3,4) group by stat_time, decoded_as order by stat_time asc\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(recv_time) as recv_time, vsys_id,* from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4,5) and notEmpty(proxy_rule_list) order by recv_time desc limit 0 , 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(recv_time) as recv_time, vsys_id,* from proxy_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4,5) order by recv_time desc limit 0 , 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select proxy_action , count(*) as hits from proxy_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4,5) group by proxy_action\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select count(*) as hit_count from proxy_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4,5)\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(sum_in_bytes)*8/15 as avg_in_bits_per_sec, sum(sum_out_bytes)*8/15 as avg_out_bits_per_sec, sum(sum_in_bytes+sum_out_bytes)*8/15 as avg_bits_per_sec, sum(sum_in_bytes)/15 as avg_in_bytes_per_sec, sum(sum_out_bytes)/15 as avg_out_bytes_per_sec, sum(sum_in_bytes+sum_out_bytes)/15 as avg_bytes_per_sec, sum(sum_in_pkts)/15 as avg_in_pkts_per_sec, sum(sum_out_pkts)/15 as avg_out_pkts_per_sec, sum(sum_in_pkts+sum_out_pkts)/15 as avg_pkts_per_sec, sum(sum_sessions)/15 as avg_sessions_per_sec, sum(max_active_sessions) as active_sessions from ( select device_id, vsys_id, sum(in_bytes) as sum_in_bytes, sum(out_bytes) as sum_out_bytes, sum(in_pkts) as sum_in_pkts, sum(out_pkts) as sum_out_pkts, sum(sessions) as sum_sessions, max(active_sessions) as max_active_sessions from traffic_general_stat where __time>=FROM_UNIXTIME(UNIX_TIMESTAMP(now())-30) and __time<FROM_UNIXTIME(UNIX_TIMESTAMP(now())-15) and vsys_id in (1) group by device_id, vsys_id )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_in_bytes)*8/30 as avg_in_bits_per_sec, avg(sum_out_bytes)*8/30 as avg_out_bits_per_sec, avg(sum_bytes)*8/30 as avg_bits_per_sec, max(sum_in_bytes)*8/30 as max_in_bits_per_sec, max(sum_out_bytes)*8/30 as max_out_bits_per_sec, max(sum_bytes)*8/30 as max_bits_per_sec, min(sum_in_bytes)*8/30 as min_in_bits_per_sec, min(sum_out_bytes)*8/30 as min_out_bits_per_sec, min(sum_bytes)*8/30 as min_bits_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(in_bytes) as sum_in_bytes, sum(out_bytes) as sum_out_bytes, sum(in_bytes + out_bytes) as sum_bytes from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 10000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_in_bytes)/30 as avg_in_bytes_per_sec, avg(sum_out_bytes)/30 as avg_out_bytes_per_sec, avg(sum_bytes)/30 as avg_bytes_per_sec, max(sum_in_bytes)/30 as max_in_bytes_per_sec, max(sum_out_bytes)/30 as max_out_bytes_per_sec, max(sum_bytes)/30 as max_bytes_per_sec, min(sum_in_bytes)/30 as min_in_bytes_per_sec, min(sum_out_bytes)/30 as min_out_bytes_per_sec, min(sum_bytes)/30 as min_bytes_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(in_bytes) as sum_in_bytes, sum(out_bytes) as sum_out_bytes, sum(in_bytes + out_bytes) as sum_bytes from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 10000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_in_pkts)/30 as avg_in_pkts_per_sec, avg(sum_out_pkts)/30 as avg_out_pkts_per_sec, avg(sum_pkts)/30 as avg_pkts_per_sec, max(sum_in_pkts)/30 as max_in_pkts_per_sec, max(sum_out_pkts)/30 as max_out_pkts_per_sec, max(sum_pkts)/30 as max_pkts_per_sec, min(sum_in_pkts)/30 as min_in_pkts_per_sec, min(sum_out_pkts)/30 as min_out_pkts_per_sec, min(sum_pkts)/30 as min_pkts_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(in_pkts) as sum_in_pkts, sum(out_pkts) as sum_out_pkts, sum(in_pkts + out_pkts) as sum_pkts from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_sessions)/30 as avg_sessions_per_sec, max(sum_sessions)/30 as max_sessions_per_sec, min(sum_sessions)/30 as min_sessions_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(sessions) as sum_sessions from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time, avg(sum_active_sessions) as avg_active_sessions, max(sum_active_sessions) as max_active_sessions, min(sum_active_sessions) as min_active_sessions from ( select stat_time, sum(max_active_sessions) sum_active_sessions from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, device_id, vsys_id, max(active_sessions) as max_active_sessions from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S'), device_id, vsys_id ) group by stat_time ) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"SELECT (CASE WHEN action = 1 THEN 'Monitor' WHEN action = 2 THEN 'Intercept' WHEN action = 16 THEN 'Deny' WHEN action = 48 THEN 'Manipulation' WHEN action = 96 THEN 'Allow' WHEN action = 128 THEN 'Shunt' ELSE concat(action) END) as action, SUM(hit_count) as hit_count, SUM(in_bytes + out_bytes) as bytes, SUM(in_pkts + out_pkts) as packets from security_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) GROUP BY action order by action\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT30S','zero')) as stat_time, (CASE WHEN action = 1 THEN 'Monitor' WHEN action = 2 THEN 'Intercept' WHEN action = 16 THEN 'Deny' WHEN action = 48 THEN 'Manipulation' WHEN action = 96 THEN 'Allow' WHEN action = 128 THEN 'Shunt' ELSE concat(action) END) as action, sum(hit_count) as hit_count, sum(in_bytes + out_bytes) as bytes, SUM(in_pkts + out_pkts) as packets from security_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT30S','zero')) , action order by stat_time limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select rule_id, action, sum(hit_count) as hits from security_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by rule_id, action order by hits desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select sub_action, sum(hit_count) as hits from proxy_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and action = 48 group by sub_action order by sub_action\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT300S','zero')) as stat_time, sub_action, sum(hit_count) as hits from proxy_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and action = 48 group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT300S','zero')) , sub_action order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select rule_id, sub_action, sum(hit_count) as hits from proxy_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and vsys_id in (1,2,3,4,5) and action = 48 group by rule_id, sub_action order by hits desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT300S','zero')) as stat_time, (CASE WHEN pinning_status = 0 THEN 'not_pinning_num' WHEN pinning_status = 1 THEN 'pinning_num' WHEN pinning_status = 2 THEN 'maybe_pinning_num' ELSE concat(pinning_status) END) as type, SUM(hit_count) as hits from proxy_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and action = 2 group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT300S','zero')) , (CASE WHEN pinning_status = 0 THEN 'not_pinning_num' WHEN pinning_status = 1 THEN 'pinning_num' WHEN pinning_status = 2 THEN 'maybe_pinning_num' ELSE concat(pinning_status) END) order by stat_time asc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"name\": \"application-and-protocol-tree-throughput\",\n \"granularity\":\"PT15s\",\n \"filter\": \"vsys_id in (1,2,3,4,5) AND (protocol_stack_id = 'ETHERNET' OR (protocol_stack_id LIKE 'ETHERNET.%' AND NOT CONTAINS_STRING(REPLACE(protocol_stack_id, 'ETHERNET.', ''), '.')))\",\n \"intervals\": [\"{{start_time}}/{{end_time}}\"],\n \"exec_mode\" : \"oneshot\"\n \n}",
"raw":"{\n \"statement\" : \"select client_ip as client_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_client_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) and metric = 'sessions' group by client_ip order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select client_ip as client_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets,sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_client_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric='packets' group by client_ip order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select client_ip as client_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_client_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by client_ip order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select server_ip as server_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'sessions' group by server_ip order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select server_ip as server_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'packets' group by server_ip order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select server_ip as server_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by server_ip order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select internal_ip as internal_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_internal_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'sessions' group by internal_ip order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select internal_ip as internal_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_internal_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'packets' group by internal_ip order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select internal_ip as internal_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_internal_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by internal_ip order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select external_ip as external_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_external_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'sessions' group by external_ip order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select external_ip as external_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_external_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'packets' group by external_ip order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select external_ip as external_ip, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_external_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by external_ip order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select domain, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_domains where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'sessions' group by domain order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select domain, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_domains where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'packets' group by domain order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select domain, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_domains where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by domain order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select fqdn, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_fqdns where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'sessions' group by fqdn order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select fqdn, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_fqdns where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'packets' group by fqdn order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select fqdn, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_server_fqdns where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by fqdn order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select subscriber_id, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_subscribers where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'sessions' group by subscriber_id order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select subscriber_id, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_subscribers where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'packets' group by subscriber_id order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select subscriber_id, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from top_subscribers where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and metric = 'bytes' group by subscriber_id order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select app_name, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from application_protocol_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and app_name IS NOT NUll group by app_name order by packets desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select app_name, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from application_protocol_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and app_name IS NOT NUll group by app_name order by bytes desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select app_name, sum(sessions) as sessions, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(in_bytes + out_bytes) as bytes, sum(in_pkts) as in_packets , sum(out_pkts) as out_packets, sum(in_pkts + out_pkts) as packets from application_protocol_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and app_name IS NOT NUll group by app_name order by sessions desc limit 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select profile_id, sum(in_bytes+out_bytes) as bytes, sum(in_pkts+out_pkts) as packets, sum(in_drop_pkts+out_drop_pkts) as drops, max(in_max_latency_us+out_max_latency_us) as max_latency_us, avg(in_queue_len+out_queue_len) as avg_q, max(in_queue_len+out_queue_len) as max_q from traffic_shaping_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by profile_id\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select rule_id,DATE_FORMAT(max(__time) ,'%Y-%m-%d %H:%i:%s') as last_used,DATE_FORMAT(min(__time) ,'%Y-%m-%d %H:%i:%s') as first_used, sum(in_bytes+out_bytes) as total_bytes from traffic_shaping_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5) and rule_id in (1,2,103,273) group by rule_id\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select profile_id, DATE_FORMAT(max(__time) ,'%Y-%m-%d %H:%i:%s') as last_used, DATE_FORMAT(min(__time) ,'%Y-%m-%d %H:%i:%s') as first_used, sum(in_drop_pkts+out_drop_pkts) as drops from traffic_shaping_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5) and profile_id in (1,2,103,273) group by profile_id\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(bytes)*8/10 as bps, sum(packets)/10 as pps, max(max_latency_us) as max_latency_us, avg(avg_q) as avg_q, max(max_q) as max_q from ( select device_id, vsys_id, sum(in_bytes+out_bytes) as bytes, sum(in_pkts+out_pkts) as packets, max(in_max_latency_us+out_max_latency_us) as max_latency_us, avg(in_queue_len+out_queue_len) as avg_q, max(in_queue_len+out_queue_len) as max_q from traffic_shaping_rule_hits where __time >= FROM_UNIXTIME(UNIX_TIMESTAMP(now())-10) and vsys_id in (1,2,3,4,5) and profile_id =1 group by device_id, vsys_id )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1s', 'zero')) as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes from traffic_shaping_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and profile_id=273 group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1s', 'zero')) order by stat_time asc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1s', 'zero')) as stat_time, sum(sent_bytes) as sent_bytes, sum(recv_bytes) as received_bytes from service_chaining_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and ( rule_id in (1,2,3,4,5) or sff_profile_id in (1,2,3,4,5) or sf_profile_id in (1,2,3,4,5)) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1s', 'zero')) order by stat_time asc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select rule_id, sum(sent_bytes) as sent_bytes, sum(recv_bytes) as received_bytes, sum(sent_pkts) as sent_packets, sum(recv_pkts) as received_packets from service_chaining_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and rule_id in (1,2,3,4,5) group by rule_id\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sff_profile_id, sum(sent_bytes) as sent_bytes, sum(recv_bytes) as received_bytes, sum(sent_pkts) as sent_packets, sum(recv_pkts) as received_packets from service_chaining_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and sff_profile_id in (1,2,3,4,5) group by sff_profile_id\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sf_profile_id, sum(sent_bytes) as sent_bytes, sum(recv_bytes) as received_bytes, sum(sent_pkts) as sent_packets, sum(recv_pkts) as received_packets from service_chaining_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and sf_profile_id in (1,2,3,4,5) group by sf_profile_id\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"SELECT sf_profile_id, sf_status, CASE WHEN last_active_time = 0 THEN '' ELSE FROM_UNIXTIME(last_active_time) END AS last_active_time, CASE WHEN last_inactive_time = 0 THEN '' ELSE FROM_UNIXTIME(last_inactive_time) END AS last_inactive_time FROM ( SELECT sf_profile_id, LATEST(sf_status) as sf_status, MAX(CASE WHEN sf_status = 1 THEN UNIX_TIMESTAMP(__time) ELSE 0 END) as last_active_time, MAX(CASE WHEN sf_status = 0 THEN UNIX_TIMESTAMP(__time) ELSE 0 END) as last_inactive_time from service_function_status where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and sf_profile_id in (1,2,3,4,5) group by sf_profile_id)\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select object_id, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by object_id order by bytes desc limit 30\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and object_id > 0\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select item_id, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by item_id order by bytes desc limit 30\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, avg(in_bytes)* 8 / 30 as avg_in_bits_per_sec, sum(out_bytes) as out_bytes, avg(out_bytes)* 8 / 30 as avg_out_bits_per_sec, sum(bytes) as bytes, avg(bytes)* 8 / 30 as avg_bits_per_sec, sum(new_in_sessions) as new_in_sessions, avg(new_in_sessions)/ 30 as avg_new_in_sessions_per_sec, sum(new_out_sessions) as new_out_sessions, avg(new_out_sessions)/ 30 as avg_new_out_sessions_per_sec, sum(sessions) as sessions, avg(sessions)/ 30 as avg_sessions_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) and object_id = 1608661 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, avg(in_bytes)* 8 / 30 as avg_in_bits_per_sec, sum(out_bytes) as out_bytes, avg(out_bytes)* 8 / 30 as avg_out_bits_per_sec, sum(bytes) as bytes, avg(bytes)* 8 / 30 as avg_bits_per_sec, sum(new_in_sessions) as new_in_sessions, avg(new_in_sessions)/ 30 as avg_new_in_sessions_per_sec, sum(new_out_sessions) as new_out_sessions, avg(new_out_sessions)/ 30 as avg_new_out_sessions_per_sec, sum(sessions) as sessions, avg(sessions)/ 30 as avg_sessions_per_sec from (select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and item_id = 1 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) and version=1 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT15S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time, avg(in_bytes)*8/30 as avg_in_bits_per_sec, avg(out_bytes)*8/30 as avg_out_bits_per_sec, avg(bytes)*8/30 as avg_bits_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT15S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time, APPROX_COUNT_DISTINCT_HLLD(client_ip_sketch) as unique_client_ips, APPROX_COUNT_DISTINCT_HLLD(server_ip_sketch) as unique_server_ips from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S') as stat_time, HLLD(client_ip_sketch) as client_ip_sketch, HLLD(server_ip_sketch) as server_ip_sketch from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time, QUANTILE_HDR(latency_ms_sketch,0.95) as p95th_tcp_latency_ms, QUANTILE_HDR(latency_ms_sketch,0.99) as p99th_tcp_latency_ms from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S') as stat_time, HDR_HISTOGRAM(latency_ms_sketch) as latency_ms_sketch from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select PERCENTILES_HDR(latency_ms_sketch) as histogram_tcp_latency_ms,HDR_GET_QUANTILES(HDR_HISTOGRAM(latency_ms_sketch), 0.5,0.95,0.99) as tcp_latency_quantiles from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and rule_id=397097 and chart_id=8267\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select application, sum(bytes) as bytes, sum(sessions) as sessions from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by application order by bytes desc limit 1024\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select server_ip, sum(bytes) as bytes, sum(sessions) as sessions from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by server_ip order by bytes desc limit 1024\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select fqdn_category, sum(bytes) as bytes, sum(sessions) as sessions from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by fqdn_category order by bytes desc limit 1024\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select MV_TO_STRING(fqdn_category,',') , sum(bytes) as bytes, sum(sessions) as sessions from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and fqdn_category is not null group by MV_TO_STRING(fqdn_category,',') order by bytes desc limit 1024\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select fqdn_category , sum(bytes) as bytes, sum(sessions) as sessions from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and fqdn_category is not null group by fqdn_category order by bytes desc limit 1024\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select client_ip, server_ip, sum(new_unestablished_sessions) as new_unestablished_sessions from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by client_ip, server_ip order by new_unestablished_sessions desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_in_bytes)*8/30 as avg_in_bits_per_sec, avg(sum_out_bytes)*8/30 as avg_out_bits_per_sec, avg(sum_bytes)*8/30 as avg_bits_per_sec, sum(sum_in_bytes) as total_in_bytes, sum(sum_out_bytes) as total_out_bytes, sum(sum_bytes) as total_bytes from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(in_bytes) as sum_in_bytes, sum(out_bytes) as sum_out_bytes, sum(in_bytes + out_bytes) as sum_bytes from statistics_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\":\"select arrayJoin(splitByString(',',source_country_list)) as source_country, count(*) as count from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}') and start_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(source_country_list) and vsys_id in (1,2,3,4) group by arrayJoin(splitByString(',',source_country_list)) order by count desc limit 10\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select destination_country, count(*) as count from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}') and start_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) group by destination_country order by count desc limit 10\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select destination_ip, count(*) as count from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}') and start_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) group by destination_ip order by count desc limit 10\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select attack_type, count(*) as count from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}') and start_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) group by attack_type order by attack_type\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select severity, count(*) as count from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}')and start_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) group by severity order by severity\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select destination_ip, IP_TO_GEO(destination_ip) as destination_geo, any(destination_country) as destination_country, groupUniqArray(arrayJoin(splitByString(',',source_country_list))) as source_coutries, max(bit_rate) as max_bit_rate, max(packet_rate) as max_packet_rate, max(session_rate) as max_session_rate,min(start_time) as first_active_time, max(end_time) as last_active_time, MAX_DURATION(end_time, 600) as max_duration, groupUniqArray(attack_type) as attack_type, count(*) as count from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}') and start_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) group by destination_ip order by count desc limit 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select start_time, destination_ip, IP_TO_GEO(destination_ip) as destination_geo, destination_country, source_country_list, attack_type, severity,bit_rate, packet_rate, session_rate from dos_event where start_time >= UNIX_TIMESTAMP('{{start_time}}') and start_time <UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4) order by start_time asc limit 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\" :\"select client_ip,count(*) as count from session_record where recv_time >=UNIX_TIMESTAMP('{{start_time}}') and recv_time <=UNIX_TIMESTAMP('{{end_time}}') and vsys_id in (1,2,3,4,5) group by client_ip order by count asc limit 10\"\n \n}",
"raw":"{\r\n \"name\": \"ip-learning-fqdn-relate-ip\",\r\n \"filter\": \"VSYS_ID in (1,2,3,4,5,6,7,8) AND PROTOCOL in ('SSL', 'HTTP','DNS') AND DEPTH = 1 and UNIQ_CIP > 1 AND FQDN_NAME in ('google.com', 'baidu.com') \",\r\n \"intervals\": [\"2023-01-01 00:00:00/2024-01-02 00:00:00\"],\r\n \"exec_mode\":\"oneshot\",\r\n \"limit\": \"100\"\r\n }",
"raw":"{\n \"statement\": \"select 'General Metrics' as type, min(__time) as first_time, max(__time) as last_time from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Security Policy Rule Hits' as type, min(__time) as first_time, max(__time) as last_time from security_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Proxy Policy Rule Hits' as type, min(__time) as first_time, max(__time) as last_time from proxy_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Traffic Shaping Rule Hits' as type, min(__time) as first_time, max(__time) as last_time from traffic_shaping_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Service Chaining Rule Hits' as type, min(__time) as first_time, max(__time) as last_time from service_chaining_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Internal IPs' as type, min(__time) as first_time, max(__time) as last_time from top_internal_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'External IPs' as type, min(__time) as first_time, max(__time) as last_time from top_external_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Subscriber IDs' as type, min(__time) as first_time, max(__time) as last_time from top_subscribers where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Client IPs' as type, min(__time) as first_time, max(__time) as last_time from top_client_ips union all select 'Server IPs' as type, min(__time) as first_time, max(__time) as last_time from top_server_ips where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Server Domains' as type, min(__time) as first_time, max(__time) as last_time from top_server_domains where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Server FQDNs' as type, min(__time) as first_time, max(__time) as last_time from top_server_fqdns where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Application Protocol Stat' as type, min(__time) as first_time, max(__time) as last_time from application_protocol_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) union all select 'Storage Quota' as type, min(__time) as first_time, max(__time) as last_time from sys_storage_log where __time >= '{{start_time}}' and __time < '{{end_time}}'\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"explain select min(duration) min, median(duration) as median,avg(duration) as avg, round(QUANTILE(duration,0.8),2) as p80, round(QUANTILE(duration,0.95),2) as p95, round(QUANTILE(duration,0.99),2) as p99, max(duration) as max from ( select (processing_time-recv_time) as duration FROM session_record WHERE recv_time >= UNIX_TIMESTAMP(now())-86400 and recv_time<UNIX_TIMESTAMP(now()) )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\": \"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT30S')) as stat_time, round(sum(sent_bytes)*8/30/1000/1000,2) as Bytes_Sent_Mbps, round(sum(received_bytes)*8/30/1000/1000,2) as Bytes_Received_Mbps, round(sum(sent_bytes + received_bytes)*8/30/1000/1000,2) as Mbps, round(sum(sent_pkts + received_pkts)/30/1000,2) as Kpps, round(count(1)/30/1000,2) as \\\"Ksessions/s\\\" from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by stat_time order by stat_time asc\" ,\n \"output_mode\":\"json\",\n \"is_dry_run\": 1,\n \"exec_mode\": \"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select uniq(client_ip) as \\\"Client IPs\\\", uniq(server_ip) as \\\"Server IPs\\\",uniq(server_domain) as \\\"Domains\\\",uniq(http_host) as \\\"Hosts\\\", uniq(ssl_sni) as \\\"SNIs\\\" from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}')\" ,\n \"output_mode\":\"json\",\n \"is_saved_query\":1\n\n}",
"raw":"{\n \"statement\": \"SELECT server_ip ,count(*) AS count, median(sent_bytes) as median_byte_num,min(sent_bytes) as min_byte_num,sum(sent_bytes+received_bytes) as bytes FROM tsg_galaxy_v3.session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip ORDER BY count DESC LIMIT 100\",\n \"exec_mode\": \"oneshot\",\n \"is_dry_run\": 0\n\n}",
"raw":"{\n \"statement\": \"select server_ip , count, num from ( SELECT server_ip , count(*) AS count, median(sent_bytes) as num FROM tsg_galaxy_v3.session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip ORDER BY count DESC LIMIT 100) order by num desc\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"SELECT server_ip ,count(*) as count, median(sent_bytes) FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip ORDER BY count DESC LIMIT 100\",\n \"exec_mode\": \"oneshot\",\n \"is_dry_run\": 1\n}",
"raw":"{\n \"statement\": \"select server_ip , count, num from ( SELECT server_ip , count(*) AS count, median(sent_bytes) as num FROM tsg_galaxy_v3.session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip) order by num desc limit 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"SELECT server_ip ,count(*) AS count, median(sent_bytes) as num FROM tsg_galaxy_v3.session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip ORDER BY sum(sent_bytes) DESC LIMIT 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"SELECT server_ip ,count(*) AS count, uniq(client_ip) as client_ips FROM tsg_galaxy_v3.session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip ORDER BY count DESC LIMIT 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"SELECT server_ip ,count(*) AS count, median(sent_bytes) as num FROM tsg_galaxy_v3.session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') GROUP BY server_ip LIMIT 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select * from (select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT1h','zero')) as stat_time from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by stat_time limit 10000) limit 10\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT30m','zero')) as stat_time, count(*) as count from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by stat_time limit 10000\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select * from (select server_ip, IP_TO_GEO(server_ip) as geo,IP_TO_COUNTRY(server_ip) as country, IP_TO_CITY(server_ip) as city,IP_TO_ASN(server_ip) as as_number ,IP_TO_ASN_ORG(server_ip) as as_name from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') limit 100) limit 10\",\n \"exec_mode\": \"oneshot\" \n}",
"raw":"{\n \"statement\": \"select item, sum(count) as count from ( select arrayJoin(items) as item, count from ( select bitmaskToArray(flags) as items, count(*) as count from session_record as sr where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by flags )) group by item order by count desc\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select item, sum(count) as count from ( select arrayJoin(items) as item, count from ( select splitByString('.',decoded_path) as items, count(*) as count from session_record as sr where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(decoded_path) group by decoded_path )) group by item order by count desc limit 10\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select item, sum(count) as count,sum(bytes) from ( select arrayJoin(items) as item, count, bytes from ( select monitor_rule_list as items, count(*) as count,sum(sent_bytes+received_bytes) as bytes from session_record as sr where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(monitor_rule_list) group by monitor_rule_list )) group by item order by count desc limit 20\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select arrayJoin(monitor_rule_list) as item, count(*) as count,sum(sent_bytes+received_bytes) as bytes from session_record as sr where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(monitor_rule_list) group by arrayJoin(monitor_rule_list) order by count desc limit 20\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select app_debug_info, JSONExtract(app_debug_info, 'Tuple(UNKNOWN Nested(app_name String, app_id UInt32),THIRD Nested(app_name String, app_id UInt32),USER_DEFINE Nested(app_name String, app_id UInt32) )') as parsed_json, tupleElement(tupleElement(parsed_json,'THIRD'),'app_name') THIRD_app_name, tupleElement(tupleElement(parsed_json,'USER_DEFINE'),'app_name') USER_DEFINE_app_name from session_record sr where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(app_debug_info) and has(THIRD_app_name,'ssl') group by app_debug_info\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\" : \"select uniq(client_ip) as \\\"Client IPs\\\", uniq(server_ip) as \\\"Server IPs\\\", uniq(server_domain) as \\\"Domains\\\", uniq(http_host) as \\\"Hosts\\\", uniq(ssl_sni) as \\\"SNIs\\\" , uniq(client_ip, server_ip) as \\\"Client and Server IPs\\\" from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}')\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select uniq(client_ip) as \\\"Client IPs\\\", uniq(server_ip) as \\\"Server IPs\\\", uniq(server_domain) as \\\"Domains\\\", uniq(http_host) as \\\"Hosts\\\", uniq(ssl_sni) as \\\"SNIs\\\" , uniq(client_ip, server_ip) as \\\"Client and Server IPs\\\" from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and ip_protocol ='tcp'\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select uniq(client_ip) as \\\"Client IPs\\\", uniq(server_ip) as \\\"Server IPs\\\", uniq(server_domain) as \\\"Domains\\\", uniq(http_host) as \\\"Hosts\\\", uniq(ssl_sni) as \\\"SNIs\\\" , uniq(client_ip, server_ip) as \\\"Client and Server IPs\\\" from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and ip_protocol ='udp'\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(QUANTILE(bytes,0.9999),2) as p9999, round(QUANTILE(bytes,0.999),2) as p999, round(QUANTILE(bytes,0.996),2) as p996, round(QUANTILE(bytes,0.995),2) as p995, round(QUANTILE(bytes,0.99),2) as p99, round(QUANTILE(bytes,0.98),2) as p98, round(QUANTILE(bytes,0.96),2) as p96, round(QUANTILE(bytes,0.95),2) as p95, round(QUANTILE(bytes,0.92),2) as p92, round(QUANTILE(bytes,0.90),2) as p90, round(QUANTILE(bytes,0.89),2) as p89, round(QUANTILE(bytes,0.88),2) as p88, round(median(bytes),2) as p50 from ( select server_ip, sum(sent_bytes+received_bytes) as bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) group by server_ip )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(QUANTILE(sessions,0.9999),2) as p9999, round(QUANTILE(sessions,0.999),2) as p999, round(QUANTILE(sessions,0.996),2) as p996, round(QUANTILE(sessions,0.995),2) as p995, round(QUANTILE(sessions,0.99),2) as p99, round(QUANTILE(sessions,0.98),2) as p98, round(QUANTILE(sessions,0.96),2) as p96, round(QUANTILE(sessions,0.95),2) as p95, round(QUANTILE(sessions,0.92),2) as p92, round(QUANTILE(sessions,0.90),2) as p90, round(QUANTILE(sessions,0.89),2) as p89, round(QUANTILE(sessions,0.88),2) as p88, round(median(sessions),2) as p50 from ( select server_ip, count(1) as sessions from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) group by server_ip )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(QUANTILE(bytes,0.9999),2) as p9999, round(QUANTILE(bytes,0.999),2) as p999, round(QUANTILE(bytes,0.996),2) as p996, round(QUANTILE(bytes,0.995),2) as p995, round(QUANTILE(bytes,0.99),2) as p99, round(QUANTILE(bytes,0.98),2) as p98, round(QUANTILE(bytes,0.96),2) as p96, round(QUANTILE(bytes,0.95),2) as p95, round(QUANTILE(bytes,0.92),2) as p92, round(QUANTILE(bytes,0.90),2) as p90, round(QUANTILE(bytes,0.89),2) as p89, round(QUANTILE(bytes,0.88),2) as p88, round(median(bytes),2) as p50 from ( select server_ip, sum(sent_bytes+received_bytes) as bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and ip_protocol in ('udp') and server_port in (53,443) group by server_ip )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(QUANTILE(sessions,0.9999),2) as p9999, round(QUANTILE(sessions,0.999),2) as p999, round(QUANTILE(sessions,0.996),2) as p996, round(QUANTILE(sessions,0.995),2) as p995, round(QUANTILE(sessions,0.99),2) as p99, round(QUANTILE(sessions,0.98),2) as p98, round(QUANTILE(sessions,0.96),2) as p96, round(QUANTILE(sessions,0.95),2) as p95, round(QUANTILE(sessions,0.92),2) as p92, round(QUANTILE(sessions,0.90),2) as p90, round(QUANTILE(sessions,0.89),2) as p89, round(QUANTILE(sessions,0.88),2) as p88, round(median(sessions),2) as p50 from ( select server_ip, count(*) as sessions from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and ip_protocol in ('udp') and server_port in (53,443) group by server_ip )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(QUANTILE(client_ips,0.9999),2) as p9999, round(QUANTILE(client_ips,0.999),2) as p999, round(QUANTILE(client_ips,0.996),2) as p996, round(QUANTILE(client_ips,0.995),2) as p995, round(QUANTILE(client_ips,0.99),2) as p99, round(QUANTILE(client_ips,0.98),2) as p98, round(QUANTILE(client_ips,0.96),2) as p96, round(QUANTILE(client_ips,0.95),2) as p95, round(QUANTILE(client_ips,0.92),2) as p92, round(QUANTILE(client_ips,0.90),2) as p90, round(QUANTILE(client_ips,0.89),2) as p89, round(QUANTILE(client_ips,0.88),2) as p88, round(median(client_ips),2) as p50 from ( select server_ip, uniq(client_ip) as client_ips from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) group by server_ip )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(QUANTILE(client_ips,0.9999),2) as p9999, round(QUANTILE(client_ips,0.999),2) as p999, round(QUANTILE(client_ips,0.996),2) as p996, round(QUANTILE(client_ips,0.995),2) as p995, round(QUANTILE(client_ips,0.99),2) as p99, round(QUANTILE(client_ips,0.98),2) as p98, round(QUANTILE(client_ips,0.96),2) as p96, round(QUANTILE(client_ips,0.95),2) as p95, round(QUANTILE(client_ips,0.92),2) as p92, round(QUANTILE(client_ips,0.90),2) as p90, round(QUANTILE(client_ips,0.89),2) as p89, round(QUANTILE(client_ips,0.88),2) as p88, round(median(client_ips),2) as p50 from ( select server_ip, uniq(client_ip) as client_ips from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) group by server_ip )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(sessions) sessions, count(*) as server_ips, ( select count(*) from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) ) as total_sessions, round(sessions / total_sessions, 6) as percent_sessions_to_total from ( SELECT server_ip, count(*) AS sessions FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) GROUP BY server_ip order by sessions desc limit 100 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(sessions) sessions, count(*) as server_ips, ( select count(*) from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) ) as total_sessions, round(sessions / total_sessions, 6) as percent_sessions_to_total from ( SELECT server_ip, count(*) AS sessions FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) GROUP BY server_ip order by sessions desc limit 100 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(bytes) as bytes, count(*) as server_ips, ( select sum(sent_bytes+received_bytes) as bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) ) as total_bytes, round(bytes / total_bytes, 6) as percent_bytes_to_total from ( SELECT server_ip, sum(sent_bytes+received_bytes) as bytes FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) GROUP BY server_ip order by bytes desc limit 100 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(bytes) as bytes, count(*) as server_ips, ( select sum(sent_bytes+received_bytes) as bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) ) as total_bytes, round(bytes / total_bytes, 6) as percent_bytes_to_total from ( SELECT server_ip, sum(sent_bytes+received_bytes) as bytes FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) GROUP BY server_ip order by bytes desc limit 100 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select uniq(client_ip) as client_ips, count(*) as sessions, ( select uniq(client_ip) as total_client_ips from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) ) as total_client_ips, round(client_ips / total_client_ips,6) as percent_client_ips_to_total, ( select count(*) as total_sessions from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) ) as total_sessions, round(sessions / total_sessions,6) as percent_sessions_to_total, sum(sent_bytes+received_bytes) as bytes, ( select sum(sent_bytes+received_bytes) as total_bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) ) as total_bytes, round(bytes / total_bytes,6) as percent_bytes_to_total FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) and server_ip in ( SELECT server_ip FROM session_record as cc WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('tcp')) GROUP BY server_ip order by uniq(server_ip) desc limit 10 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select uniq(client_ip) as client_ips, count(*) as sessions, ( select uniq(client_ip) as total_client_ips from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) ) as total_client_ips, round(client_ips / total_client_ips,6) as percent_client_ips_to_total, ( select count(*) as total_sessions from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) ) as total_sessions, round(sessions / total_sessions,6) as percent_sessions_to_total, sum(sent_bytes+received_bytes) as bytes, ( select sum(sent_bytes+received_bytes) as total_bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) ) as total_bytes, round(bytes / total_bytes,6) as percent_bytes_to_total FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) and server_ip in ( SELECT server_ip FROM session_record as cc WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') AND (ip_protocol IN ('udp')) GROUP BY server_ip order by uniq(server_ip) desc limit 10 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(sessions) sessions, count(*) as ssl_snis, ( select count(*) from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(ssl_sni) ) as total_sessions, round(sessions / total_sessions, 6) as percent_sessions_to_total from ( SELECT ssl_sni, count(*) AS sessions FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(ssl_sni) GROUP BY ssl_sni order by sessions desc limit 100 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select sum(bytes) as bytes, count(*) as ssl_snis, ( select sum(sent_bytes+received_bytes) as bytes from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(ssl_sni) ) as total_bytes, round(bytes / total_bytes, 6) as percent_bytes_to_total from ( SELECT ssl_sni, sum(sent_bytes+received_bytes) as bytes FROM session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(ssl_sni) GROUP BY ssl_sni order by bytes desc limit 100 )\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"SELECT client_ip, sum(sent_bytes + received_bytes) as bytes from session_record sr1 where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by client_ip order by bytes desc limit 10 union all select null, sum(sent_bytes + received_bytes) as bytes from session_record sr2 where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and sr2.client_ip not in (select client_ip from session_record sr where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by client_ip order by sum(sent_bytes + received_bytes) desc limit 10)\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\" : \"select round(max(url_length),2) as max, round(QUANTILE(url_length,0.9999),2) as p9999, round(QUANTILE(url_length,0.99),2) as p99, round(QUANTILE(url_length,0.95),2) as p95, round(QUANTILE(url_length,0.90),2) as p90, round(median(url_length),2) as p50 from (select length(http_url) as url_length from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and decoded_as='HTTP')\",\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(max(rr_length),2) as max, round(QUANTILE(rr_length,0.9999),2) as p9999, round(QUANTILE(rr_length,0.99),2) as p99, round(QUANTILE(rr_length,0.95),2) as p95, round(QUANTILE(rr_length,0.90),2) as p90, round(median(rr_length),2) as p50 from (select length(dns_rr) as rr_length from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and decoded_as='DNS')\",\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select round(max(san_length),2) as max, round(QUANTILE(san_length,0.9999),2) as p9999, round(QUANTILE(san_length,0.99),2) as p99, round(QUANTILE(san_length,0.95),2) as p95, round(QUANTILE(san_length,0.90),2) as p90, round(median(san_length),2) as p50 from (select length(ssl_san) as san_length from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and decoded_as='SSL')\",\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\": \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT30m')) as stat_time, sum(in_bytes + out_bytes)*8/1800/1000/1000 as normal_rate_mbps, sum(in_bytes + out_bytes)/count(distinct(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT15s')))*8/15/1000/1000 as usage_rate_mbps from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT30m') order by stat_time asc \",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select server_domain as domain, round(avg(tcp_rtt_ms),0) avg_rtt_latency_ms from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') and notEmpty(server_domain) group by server_domain order by avg_rtt_latency_ms desc limit 100\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"{\n \"statement\": \"select 'Session Records' as type, count(*) as num from (select log_id,count(*) as num from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by log_id having num >1) union all select 'Proxy Events' as type, count(*) as num from (select log_id,count(*) as num from proxy_event where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time <UNIX_TIMESTAMP('{{end_time}}') group by log_id having num >1)\",\n \"exec_mode\": \"oneshot\"\n}",
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT DISTINCT concat(host_address,':','8123') as endpoint FROM system.clusters FORMAT JSONEachRow;",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"query",
"value":"SELECT DISTINCT concat(host_address,':','8123') as endpoint FROM system.clusters FORMAT JSONEachRow;"
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT SUM(`total_space`)/1024/1024/1024/1024 as TB FROM system.disks_cluster format JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"query",
"value":"SELECT SUM(`total_space`)/1024/1024/1024/1024 as TB FROM system.disks_cluster format JSONEachRow"
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT DISTINCT(name) FROM system.tables_cluster WHERE database = 'tsg_galaxy_v3' AND engine in ('MergeTree','ReplicatedMergeTree') FORMAT JSONEachRow;",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"query",
"value":"SELECT DISTINCT(name) FROM system.tables_cluster WHERE database = 'tsg_galaxy_v3' AND engine in ('MergeTree','ReplicatedMergeTree') FORMAT JSONEachRow;"
}
]
},
"description":"根据不同的ip查询所有clickhouse的表"
},
"response":[]
},
{
"name":"View which settings have been changed from the default",
"event":[
{
"listen":"test",
"script":{
"exec":[
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type":"text/javascript"
}
}
],
"request":{
"method":"POST",
"header":[],
"url":{
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT\n name,\n value\nFROM system.settings\nWHERE changed FORMAT JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"option",
"value":"long-term",
"disabled":true
},
{
"key":"resultId",
"value":"129494",
"disabled":true
},
{
"key":"query",
"value":"SELECT\n name,\n value\nFROM system.settings\nWHERE changed FORMAT JSONEachRow"
}
]
}
},
"response":[]
},
{
"name":"Show disk storage, number of parts",
"event":[
{
"listen":"test",
"script":{
"exec":[
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type":"text/javascript"
}
}
],
"request":{
"method":"POST",
"header":[],
"url":{
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT\n database,\n table,\n partition,\n count() AS parts,\n formatReadableSize(sum(bytes_on_disk)) AS bytes_on_disk, \n formatReadableQuantity(sum(rows)) AS rows,\n sum(marks) AS marks\nFROM system.parts_cluster pc \nWHERE (database != 'system') AND active\nGROUP BY\n database,\n table,\n partition\nORDER BY database ASC FORMAT JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"option",
"value":"long-term",
"disabled":true
},
{
"key":"resultId",
"value":"129494",
"disabled":true
},
{
"key":"query",
"value":"SELECT\n database,\n table,\n partition,\n count() AS parts,\n formatReadableSize(sum(bytes_on_disk)) AS bytes_on_disk, \n formatReadableQuantity(sum(rows)) AS rows,\n sum(marks) AS marks\nFROM system.parts_cluster pc \nWHERE (database != 'system') AND active\nGROUP BY\n database,\n table,\n partition\nORDER BY database ASC FORMAT JSONEachRow"
}
]
}
},
"response":[]
},
{
"name":"Get the size of all your tables",
"event":[
{
"listen":"test",
"script":{
"exec":[
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type":"text/javascript"
}
}
],
"request":{
"method":"POST",
"header":[],
"url":{
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=\nSELECT \n\ttable,\n formatReadableSize(sum(bytes)) as size\n FROM system.parts_cluster pc\n WHERE active\nGROUP BY table FORMAT JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"option",
"value":"long-term",
"disabled":true
},
{
"key":"resultId",
"value":"129494",
"disabled":true
},
{
"key":"query",
"value":"\nSELECT \n\ttable,\n formatReadableSize(sum(bytes)) as size\n FROM system.parts_cluster pc\n WHERE active\nGROUP BY table FORMAT JSONEachRow"
}
]
}
},
"response":[]
},
{
"name":"Row count and average day size of your table",
"event":[
{
"listen":"test",
"script":{
"exec":[
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type":"text/javascript"
}
}
],
"request":{
"method":"POST",
"header":[],
"url":{
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=\nSELECT\n table, formatReadableSize(size) AS size,\n rows,\n days,\n formatReadableSize(avgDaySize) AS avgDaySize\nFROM\n(\n SELECT\n table,\n sum(bytes) AS size,\n sum(rows) AS rows,\n min(min_date) AS min_date,\n max(max_date) AS max_date,\n max_date - min_date AS days,\n size / (max_date - min_date) AS avgDaySize\n FROM system.parts_cluster pc\n WHERE active\n GROUP BY table\n ORDER BY rows DESC\n) FORMAT JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"option",
"value":"long-term",
"disabled":true
},
{
"key":"resultId",
"value":"129494",
"disabled":true
},
{
"key":"query",
"value":"\nSELECT\n table, formatReadableSize(size) AS size,\n rows,\n days,\n formatReadableSize(avgDaySize) AS avgDaySize\nFROM\n(\n SELECT\n table,\n sum(bytes) AS size,\n sum(rows) AS rows,\n min(min_date) AS min_date,\n max(max_date) AS max_date,\n max_date - min_date AS days,\n size / (max_date - min_date) AS avgDaySize\n FROM system.parts_cluster pc\n WHERE active\n GROUP BY table\n ORDER BY rows DESC\n) FORMAT JSONEachRow"
}
]
}
},
"response":[]
},
{
"name":"Compression columns percentage",
"event":[
{
"listen":"test",
"script":{
"exec":[
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type":"text/javascript"
}
}
],
"request":{
"method":"POST",
"header":[],
"url":{
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT\n parts.*,\n columns.compressed_size,\n columns.uncompressed_size,\n columns.compression_ratio,\n columns.compression_percentage\nFROM\n(\n SELECT\n table,\n formatReadableSize(sum(data_uncompressed_bytes)) AS uncompressed_size,\n formatReadableSize(sum(data_compressed_bytes)) AS compressed_size,\n round(sum(data_compressed_bytes) / sum(data_uncompressed_bytes), 3) AS compression_ratio,\n round(100 - ((sum(data_compressed_bytes) * 100) / sum(data_uncompressed_bytes)), 3) AS compression_percentage\n FROM system.columns_cluster cc\n GROUP BY table\n) AS columns\nRIGHT JOIN\n(\n SELECT\n table,\n sum(rows) AS rows,\n max(modification_time) AS latest_modification,\n formatReadableSize(sum(bytes)) AS disk_size,\n formatReadableSize(sum(primary_key_bytes_in_memory)) AS primary_keys_size,\n any(engine) AS engine,\n sum(bytes) AS bytes_size\n FROM system.parts_cluster pc\n WHERE active\n GROUP BY\n database,\n table\n) AS parts ON columns.table = parts.table\nORDER BY parts.bytes_size DESC FORMAT JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"option",
"value":"long-term",
"disabled":true
},
{
"key":"resultId",
"value":"129494",
"disabled":true
},
{
"key":"query",
"value":"SELECT\n parts.*,\n columns.compressed_size,\n columns.uncompressed_size,\n columns.compression_ratio,\n columns.compression_percentage\nFROM\n(\n SELECT\n table,\n formatReadableSize(sum(data_uncompressed_bytes)) AS uncompressed_size,\n formatReadableSize(sum(data_compressed_bytes)) AS compressed_size,\n round(sum(data_compressed_bytes) / sum(data_uncompressed_bytes), 3) AS compression_ratio,\n round(100 - ((sum(data_compressed_bytes) * 100) / sum(data_uncompressed_bytes)), 3) AS compression_percentage\n FROM system.columns_cluster cc\n GROUP BY table\n) AS columns\nRIGHT JOIN\n(\n SELECT\n table,\n sum(rows) AS rows,\n max(modification_time) AS latest_modification,\n formatReadableSize(sum(bytes)) AS disk_size,\n formatReadableSize(sum(primary_key_bytes_in_memory)) AS primary_keys_size,\n any(engine) AS engine,\n sum(bytes) AS bytes_size\n FROM system.parts_cluster pc\n WHERE active\n GROUP BY\n database,\n table\n) AS parts ON columns.table = parts.table\nORDER BY parts.bytes_size DESC FORMAT JSONEachRow"
}
]
}
},
"response":[]
},
{
"name":"Find queries that are stuck",
"event":[
{
"listen":"test",
"script":{
"exec":[
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type":"text/javascript"
}
}
],
"request":{
"method":"GET",
"header":[],
"url":{
"raw":"http://{{clickhouse_ip}}:{{clickhouse_port}}?database={{clickhouse_database}}&user={{clickhouse_user}}&password={{clickhouse_password}}&query=SELECT elapsed, initial_user, client_name, hostname(), query_id, query FROM system.processes AS pc ORDER BY elapsed DESC format JSONEachRow",
"protocol":"http",
"host":[
"{{clickhouse_ip}}"
],
"port":"{{clickhouse_port}}",
"query":[
{
"key":"database",
"value":"{{clickhouse_database}}"
},
{
"key":"user",
"value":"{{clickhouse_user}}"
},
{
"key":"password",
"value":"{{clickhouse_password}}"
},
{
"key":"option",
"value":"long-term",
"disabled":true
},
{
"key":"resultId",
"value":"129494",
"disabled":true
},
{
"key":"query",
"value":"SELECT elapsed, initial_user, client_name, hostname(), query_id, query FROM system.processes AS pc ORDER BY elapsed DESC format JSONEachRow"
"raw":"{\n \"statement\" : \"SELECT initial_query_id, type as error_type, query_start_time, intDiv(query_duration_ms,1000) as query_duration_s , query , exception, initial_user , http_user_agent , initial_address FROM system.query_log_cluster where type IN ('ExceptionBeforeStart', 'ExceptionWhileProcessing') and initial_query_id = query_id and event_time > (now()-86400) and event_time < now() order by event_time desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select databases, initial_query_id , query, event_time, intDiv(query_duration_ms,1000) as query_duration_s, read_rows , read_bytes , initial_user, http_user_agent, initial_address from system.query_log_cluster where query_kind = 'Select' and query_start_time>(now()-86400) and initial_query_id = query_id and type IN ('QueryFinish') order by query_duration_ms desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select arrayJoin(columns) as used_columns, count() as columns_num from system.query_log_cluster where query_kind = 'Select' and query_start_time>(now()-86400) and initial_query_id = query_id and type IN ('QueryFinish') group by used_columns order by columns_num desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select\\n anyLast(query) as sql,\\n intDiv(avg(query_duration_ms),1000) as avg_query_duration_s,\\n intDiv(max(query_duration_ms),1000) as max_query_duration_s,\\n QUANTILE(query_duration_ms, 0.95)/1000 as p95_query_duration_s, \\n max(read_rows) ,\\n anyLast(http_user_agent) as last_http_user_agent,\\n used_aggregate_functions,\\n count() as query_count\\nfrom\\n system.query_log_cluster\\nwhere\\n query_kind = 'Select'\\n and query_start_time>(now()-86400)\\n and initial_query_id = query_id\\n and type IN ('QueryFinish')\\n and empty(used_aggregate_functions ) = 0\\ngroup by\\n toString(used_functions),\\n toString(used_aggregate_functions ),\\n toString(columns)\\norder by\\n avg_query_duration_s desc\\nlimit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"select anyLast(query) as sql, intDiv(avg(query_duration_ms),1000) as avg_query_duration_s, toInt64(avg(memory_usage))/1024/1024 as avg_memory_MB, used_aggregate_functions, avg(ProfileEvents['FileOpen']) as FileOpen, avg(ProfileEvents['DiskReadElapsedMicroseconds'])/1000000 as DiskRead_s,count() as query_count from system.query_log_cluster where query_kind = 'Select' and query_start_time>(now()-86400) and initial_query_id != query_id and type IN ('QueryFinish') and empty(used_aggregate_functions ) = 0 group by toString(used_functions), toString(used_aggregate_functions ), toString(columns) order by avg_memory_MB desc limit 100\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\n \"statement\" : \"SELECT type, event_time, initial_query_id, formatReadableSize(memory_usage) AS memory, \n `ProfileEvents.Values`[indexOf(`ProfileEvents.Names`, 'UserTimeMicroseconds')] AS userCPU,\n `ProfileEvents.Values`[indexOf(`ProfileEvents.Names`, 'SystemTimeMicroseconds')] AS systemCPU, normalizedQueryHash(query) AS normalized_query_hash FROM system.query_log_cluster where query_start_time>(now()-86400) ORDER BY memory_usage DESC LIMIT 10\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
"raw":"{\"query\":\"SELECT used_size/1024/1024/1024 as used_size_GB FROM sys_storage_log WHERE log_type = 'Report and Metrics' ORDER BY __time DESC LIMIT 1\",\"context\":{\"skipEmptyBuckets\":\"false\"},\"resultFormat\":\"object\"}",
"raw":"{\n \"statement\" : \"select time_floor(__time,'PT30m') as stat_time, sum(in_bytes + out_bytes)*8/1800/1000/1000 as normal_rate_mbps, sum(in_bytes + out_bytes)/count(distinct(time_floor(__time,'PT15S')))*8/15/1000/1000 as usage_rate_mbps from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) group by time_floor(__time,'PT30m') order by stat_time asc\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}",
