From 99a303b940e840d62457bb84b2628c3987648fb9 Mon Sep 17 00:00:00 2001 From: doufenghu Date: Fri, 29 Dec 2023 11:59:29 +0800 Subject: [PATCH] update 24.01 --- ...hooting-api-24.01.postman_collection.json} | 3737 ++++------------- 1 file changed, 741 insertions(+), 2996 deletions(-) rename 24.01/{TSG OLAP API V24.01.postman_collection.json => Galaxy-troubleshooting-api-24.01.postman_collection.json} (65%) diff --git a/24.01/TSG OLAP API V24.01.postman_collection.json b/24.01/Galaxy-troubleshooting-api-24.01.postman_collection.json similarity index 65% rename from 24.01/TSG OLAP API V24.01.postman_collection.json rename to 24.01/Galaxy-troubleshooting-api-24.01.postman_collection.json index 06eb063..42ba041 100644 --- a/24.01/TSG OLAP API V24.01.postman_collection.json +++ b/24.01/Galaxy-troubleshooting-api-24.01.postman_collection.json @@ -1,2535 +1,12 @@ { "info": { "_postman_id": "4a92abcb-8edf-485a-9067-69ef14ec0741", - "name": "TSG OLAP API V24.01", + "name": "Galaxy-troubleshooting-api-24.01", "description": "# galaxy-troubleshooting-api\n\n使用Postman组件,基于Rest API接口对TSG OLAP 进行功能验证。包括组件健康检查,功能集成测试及故障诊断。\n\n## Release 24.01 (31 JAN 2024)\n\n###### New Features\n\n- 依据OLAP API 组织接口\n- 接口进行重构,不再兼容23.10及之前版本\n \n\n## Release 23.10 (30 OCT 2023)\n\n###### Update\n\n- 会话日志增加毫米级时间戳字段common_start_timestamp_ms, common_end_timestamp_ms\n- 会话日志增加操作系统指纹common_client_os_name,common_server_os_name\n \n\n## Release 23.09 (30 SEP 2023)\n\n###### Update\n\n- metrics 修改表名由statistics_object改为object_statistics\n- Flags统计增加Bidirectional标识\n- Closed Session Records 增加http_status_code, ssl_esni_flag, ssl_ech_flag\n- 删除Kafka Topics 目录\n \n\n## Release 23.08 (21 AUG 2023)\n\n###### New Features\n\n- Metrics增加Statistics Policy 相关接口\n- Metrics增加Statistics Object 相关接口\n- Metrics增加Statistics rule 命中计数接口\n \n\n###### Update\n\n- 会话日志查询,增加重命名字段common_out_link_id、common_in_link_id\n \n\n## Release 23.07 (21 JUL 2023)\n\n###### Update\n\n- 修复Network Throughput Active Sessions计算错误,不除时间粒度\n \n\n## Release 23.06 (21 JUN 2023)\n\n###### Update\n\n- 优化Limit返回值\n \n\n## Release 23.05 (28 MAY 2023)\n\n###### New Features\n\n- 增加Service chaining统计接口\n- QGW增加嵌套子查询接口,用于验证高级搜索\n \n\n###### Update\n\n- Main Dashboard统计接口重构,更改统计源\n- Live Traffic Chart 接口重构,更改统计源\n- 原代理日志拆分为Intercept和Manipulation\n- 相关Metrics的Schema更改为重构后的数据源\n \n\n## Release 23.04 (28 APR 2023)\n\n###### New Features\n\n- 增加数据写入延迟接口Session Insert Latency Distribution\n- 增加数据写入Kafka延迟接口 Session Ingestion Latency Distribution\n \n\n###### Update\n\n- 重构 Security Policy Hits Metrics 统计\n- 重构 Traffic Shaping Metrics 统计\n \n\n## Release 23.03 (28 MAR 2023)\n\n###### New Features\n\n- 目录整体重构,重新梳理功能,便于Newman CLI运行\n- ClickHouse目录下增加慢查询故障诊断语句\n- 参数与API接口统一改为英文,避免中文编码执行异常\n- 加密环境变量密码、token等敏感信息\n- 定义全局动态变量:时间范围、随机IP、随机域名等\n \n\n###### Update\n\n- Flags 添加C2S与S2C标志位标签\n \n\n## Release 23.02 (28 FEB 2023)\n\n###### New Features\n\n- 增加Traffic Shaping 相关统计接口\n \n\n###### Update\n\n- 会话日志增加列common_shaping_rule_ids\n- 会话与安全事件日志增加列common_server_domain\n- 会话与安全事件日志增加列common_flags_identify_info\n \n\n## Release 23.01 (31 JAN 2023)\n\n###### Update\n\n- 会话与安全事件日志增加列common_server_fqdn\n- 会话与安全事件日志增加列common_app_full_path\n \n\n## Release 22.12 (30 DEC 2022)\n\n###### New Features\n\n- 新增Dashboards-增加App推荐\n- 新增系统报告-会话日志Flags统计\n- 新增系统报告-会话日志Flags占比\n \n\n###### Update\n\n- 会话与安全事件日志增加common_flags列\n- 自定义IP映射-增加对ASN函数\n \n\n## Release 22.1 (30 NOV 2022)\n\n###### New Features\n\n###### Update\n\n- 会话与安全事件日志增加ssl_ja3s_hash列\n \n\n## Release 22.10 (30 OCT 2022)\n\n###### New Features\n\n- 06其它-功能验证-Traffic Summary增加Throughput接口\n \n ###### Update\n \n- 更新原有查询,将VSYS ID作为默认查询条件\n \n\n## Release 22.09 (30 SEP 2022)\n\n###### Update\n\n- 会话与安全事件日志增加common_tunnel_endpoint_a_desc, common_tunnel_endpoint_b_desc,dtls_sni 列\n \n\n## Release 22.08 (31 AUG 2022)\n\n###### New Features\n\n- 其它-查询网关-Live Charts 总带宽流量校验\n- 增加检查数据流-SQL执行计划\n- 增加检查数据流-SQL查看表结构\n- 增加检查数据推荐-推荐IMSI到TEID关系\n- 增加检查数据推荐-推荐IMEI到TEID关系\n- 增加检查数据推荐-推荐Phone Number到TEID关系\n- 增加检查数据推荐-推荐apn到TEID关系\n- 增加检查数据推荐-实时查询任务-提交查询任务(实时统计)\n- 增加检查数据推荐-实时查询任务-获取任务结果(实时统计)\n- 增加检查数据推荐-知识库列表\n- 增加预处理检查-检测预处理延迟\n- 增加预处理检查-已关闭会话日志延迟分布\n \n ###### Update\n \n\n## Release 22.07 (30 JUL 2022)\n\n###### New Features\n\n- 增加检查数据推荐-Top Server IP流量概况评估\n- 增加检查数据推荐-Top SNI 流量概况评估\n \n ###### Update\n \n\n## Release 22.06 (30 JUE 2022)\n\n###### New Features\n\n- 检查数据流-增加存储配额一致性检查\n \n ###### Update\n \n- 系统报告检查-增加与CM默认VSYSID=1参数\n \n\n## Release 22.05 (31 MAY 2022)\n\n###### New Features\n\n###### Update\n\n- 检查日志-会话日志/安全事件日志增加RDP类型校验\n \n\n## Release 22.04 (29 APR 2022)\n\n###### New Features\n\n###### Update\n\n- 预处理检查-是否有数据验证,改为通过console后台打印日志\n- Dashboards Top部分功能增加device_group, data_center维度校验\n \n\n## Release 22.03 (8 APR 2022)\n\n###### New Features\n\n- 增加数据预处理检查,为每类日志增加多个测试用例,区分功能或无数据问题\n \n ###### Update\n \n- 其它-评估日志预处理,增加ETL处理时延和写入Kafka时延指标\n- 检查日志模块对会话,安全和代理事件日志基于具体字段查询\n \n\n###### Delete\n\n- 删除检查数据流,关于Topic的测试用例\n \n\n## Release 22.02 (8 MAR 2022)\n\n###### New Features\n\n- 检查数据流-元数据检查 增加schema评价文件事件日志\n \n\n## Release 22.01 (27 JAN 2022)\n\n###### New Features\n\n- 检查数据流-TopN计算 增加Application接口验证\n \n\n###### Update\n\n- 重新梳理分类,删除无用接口\n- 重新排列分类,将系统自检放到首位\n \n\n## Release 21.12 (1 Dec 2021)\n\n###### New Features\n\n- 新增数据推荐查询-实时查询任务\n- 新增数据推荐查询-推荐Subscriber ID 到IP关系\n- 新增数据推荐查询-推荐APP活跃客户端IP\n- 新增数据推荐查询-推荐TopN Server IP\n- 新增数据推荐查询-推荐TopN SNI\n- 新增常用快捷功能-查询网关,增加优化查询测试集\n - Top 查询优化\n - Calcite 缓存查询\n - 自定义时间函数补全功能\n\n###### Update\n\n- Dashboard 查询,代理策略命中动作增加Edit Element 统计\n \n\n## Release 21.11 (5 Nov 2021)\n\n###### New Features\n\n- Delete\n- Update\n- 修改报告查询接口(由查询mariadb方式变更为API接口)\n- 修改规范“数据推荐查询”所有接口的命名\n \n\n## Release 21.10 (28 OCT 2021)\n\n###### New Features\n\n- 新增HOS健康状态检测接口\n- Delete\n- 删除原ClickHouse/Druid/ArangoDB 状态检查接口\n \n\n## Release 21.09 (23 SEP 2021)\n\n###### New Features\n\n- Update\n- 删除分布式调度任务,5分钟TOPN校验,交由FLink统计\n- 原始日志表名进行重命名,相关查询接口更新\n- 修正DNS分析的SQL数据集\n \n\n## Release 21.08 (15 AUG 2021)\n\n###### New Features\n\n- 新增“Dashboard查询-DoS Threat Map”功能列表,显示DoS检测地图接口\n- 新增“原始日志查询-DoS事件日志”,显示DoS攻击检测日志\n- 新增“原始日志查询-DoS事件日志-Summary”,显示DoS攻击趋势统计\n- 新增“原始日志查询-DoS事件日志-Destination IP Traffic Trend”,显示受害者IP历史流量趋势\n- Update\n- 迁移“Dashboard查询”liveCharts接口,放到“Live Charts”目录中统一管理。\n- 对DNS分析,增加一些查询样例\n \n\n## Release 21.07 (5 JUL 2021)\n\n###### New Features\n\n- 增加”常用快捷功能-基数统计“,用于分析日志分布情况\n- 增加”常用快捷功能-DNS放大攻击“,查询特征数据集\n- 增加”通用检查-对象存储-获取某个文件“,用于文件获取验证\n \n\n###### Update\n\n- 为所有接口增加Tests脚本,对接口进行批量验证测试\n- 修正部分接口查询异常\n \n\n## Release 21.06 (7 JUN 2021)\n\n###### New Features\n\n- Environments 增加环境变量domain、client_ip、server_ip、l7_protocol和PT1M_TIME\n- 常用快捷功能增加某域名下钻、某IP下钻、协议下钻和DNS分析功能\n \n\n###### Update\n\n- 原始日志查询,基于Druid近1小时日志变化粒度从5分钟改为1分钟。包含通联、策略和代理日志。\n \n\n## Release 21.05 (6 MAY 2021)\n\n###### New Features\n\n- 新增“GTP-C日志”功能,辅助故障诊断\n- 新增“事务日志”功能,辅助故障诊断\n- 新增“活跃会话日志”功能,辅助故障诊断\n- 新增“07.常用快捷功能-评估写入日志量”,查看当前系统的吞吐\n \n\n###### Update\n\n- 修改\"01.通用检查-数据存储检查\",增加事务、活跃及GTP-C 检测\n \n\n## Release 21.04 (3 APR 2021)\n\n###### New Features\n\n- 增加“VoIP日志”功能,辅助故障诊断\n- 增加“元数据检查”分类目录\n- 增加“HOS对象存储”目录,用于定位对象存储\n \n\n###### Update\n\n- 修改“SQL语法检查”为“SQL语法验证”,支持SQL语句的静态分析和数据库语义验证\n- 迁移功能项位置,方便问题定位\n \n\n###### Delete\n\n- 删除“系统检查-查询引擎SQL测试集\\[过时\\]”功能,由“故障诊断-sql性能测试”替代。\n \n\n## Release 21.03 (2 MAR 2021)\n\n###### New Features\n\n- 增加故障诊断-元数据功能,可分析日志字段是否与schema一致\n- 增加故障诊断-sql性能测试,可对查询引擎进行功能性验证和POC性能测试\n \n\n###### Update\n\n- 对查询引擎SQL测试集标记过时\n \n\n## Release 21.02 (1 FEB 2021)\n\n###### Update\n\n- 改善内部测试集,应对新的功能修改\n \n\n## Release 20.11.rc3 (11 DEC 2020)\n\n###### New Features\n\n- 增加常用快捷功能- 安装证书独立客户端IP数据趋势\n- 增加常用快捷功能-访问速度最慢TOP20 域名\n- 增加常用快捷功能-报告预置Metrics\n- 增加原始日志查询-安全策略-动作命中计数\n- 增加原始日志查询-代理策略-动作命中计数\n- 增加原始日志查询-通联-流量计数(now)\n \n\n###### Update\n\n- 改善Dashboard查询-基础统计-新建、活跃(计数)-now\n- 改善Dashboard查询-新建、活跃(趋势)\n- 目录增加编号,便于管理\n- 修改分布式调度任务-5分钟TOPN-hot表验证表名\n- 部分Action为post 改为 get,便于导出命令行", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json", "_exporter_id": "8105037" }, "item": [ - { - "name": "Tools(Deprecated)", - "item": [ - { - "name": "Execute SQL(Deprecated)", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/sql/?query=select MEDIAN_HDR(in_latency_ms_sketch) from statistics_rule limit 1", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "sql", - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "select MEDIAN_HDR(in_latency_ms_sketch) from statistics_rule limit 1" - } - ] - } - }, - "response": [] - }, - { - "name": "SQL Syntax Validation", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/sql/?option=syntax_validation&query=SELECT\n\tsum(\"Sessions\") AS \"Sessions\",\n\tsum(\"Client IP\") AS \"Client IP\",\n\tsum(\"Server IP\") AS \"Server IP\"\nFROM\n\t(\n\tSELECT\n\t\tssl_sni AS \"SSL.SNI\",\n\t\tcount(client_ip) AS \"Client IP\",\n\t\tcount(server_ip) AS \"Server IP\",\n\t\tcount(1) AS \"Sessions\"\n\tFROM\n\t\t(\n\t\tSELECT\n\t\t\t*\n\t\tFROM\n\t\t\ttsg_galaxy_v3.security_event\n\t\tLIMIT 100) AS security_event\n\tWHERE\n\t\t1 = 1\n\tGROUP BY\n\t\t\"SSL.SNI\") ORDER BY \"Sessions\" DESC, \"Client IP\" DESC, \"Server IP\" DESC LIMIT 50 ", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "sql", - "" - ], - "query": [ - { - "key": "option", - "value": "syntax_validation" - }, - { - "key": "query", - "value": "SELECT\n\tsum(\"Sessions\") AS \"Sessions\",\n\tsum(\"Client IP\") AS \"Client IP\",\n\tsum(\"Server IP\") AS \"Server IP\"\nFROM\n\t(\n\tSELECT\n\t\tssl_sni AS \"SSL.SNI\",\n\t\tcount(client_ip) AS \"Client IP\",\n\t\tcount(server_ip) AS \"Server IP\",\n\t\tcount(1) AS \"Sessions\"\n\tFROM\n\t\t(\n\t\tSELECT\n\t\t\t*\n\t\tFROM\n\t\t\ttsg_galaxy_v3.security_event\n\t\tLIMIT 100) AS security_event\n\tWHERE\n\t\t1 = 1\n\tGROUP BY\n\t\t\"SSL.SNI\") ORDER BY \"Sessions\" DESC, \"Client IP\" DESC, \"Server IP\" DESC LIMIT 50 " - } - ] - } - }, - "response": [] - }, - { - "name": "SQL Syntax Parse", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/sql/?option=syntax_parse&query=select common_client_ip from session_record", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "sql", - "" - ], - "query": [ - { - "key": "option", - "value": "syntax_parse" - }, - { - "key": "query", - "value": "select common_client_ip from session_record" - } - ] - } - }, - "response": [] - }, - { - "name": "Knowledge Bases Lists", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/knowledge_base/v1", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "knowledge_base", - "v1" - ] - } - }, - "response": [] - } - ] - }, - { - "name": "Others(Deprecated)", - "item": [ - { - "name": "Reporting Dashboards", - "item": [ - { - "name": "Traffic Summary", - "item": [ - { - "name": "Throughput of Traffic Metrics", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=SELECT\n\t{{P1D_TIME}} as stat_time,\n\tround(SUM(in_pkts + out_pkts)/ 1000 /1000.0,2) as packets_M,\n\tround(SUM(in_bytes + out_bytes)/ 1024 / 1024 / 1024.0,2) as bytes_GB,\n round(SUM(closed_sessions)/ 1000 / 1000.0,2) as sessions_M\nFROM\n\ttraffic_general_stat\nWHERE\n\t__time >= '{{start_time}}'\n\tand __time < '{{end_time}}'\ngroup by\n\t{{P1D_TIME}}\norder by\n\tstat_time", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "query", - "value": "SELECT\n\t{{P1D_TIME}} as stat_time,\n\tround(SUM(in_pkts + out_pkts)/ 1000 /1000.0,2) as packets_M,\n\tround(SUM(in_bytes + out_bytes)/ 1024 / 1024 / 1024.0,2) as bytes_GB,\n round(SUM(closed_sessions)/ 1000 / 1000.0,2) as sessions_M\nFROM\n\ttraffic_general_stat\nWHERE\n\t__time >= '{{start_time}}'\n\tand __time < '{{end_time}}'\ngroup by\n\t{{P1D_TIME}}\norder by\n\tstat_time" - } - ] - } - }, - "response": [] - }, - { - "name": "Throughput of Protocol Metrics", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=SELECT\n\t{{P1D_TIME}} as stat_time,\n\tround(SUM(in_pkts + out_pkts)/ 1000 /1000.0,2) as packets_M,\n\tround(SUM(in_bytes + out_bytes)/ 1024 / 1024 / 1024.0,2) as bytes_GB,\n round(SUM(sessions)/ 1000 / 1000.0,2) as sessions_M\nFROM\n\tapplication_protocol_stat\nWHERE\n\t__time >= '{{start_time}}'\n\tand __time < '{{end_time}}' and protocol_stack_id='ETHERNET'\ngroup by\n\t{{P1D_TIME}}\norder by\n\tstat_time", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "query", - "value": "SELECT\n\t{{P1D_TIME}} as stat_time,\n\tround(SUM(in_pkts + out_pkts)/ 1000 /1000.0,2) as packets_M,\n\tround(SUM(in_bytes + out_bytes)/ 1024 / 1024 / 1024.0,2) as bytes_GB,\n round(SUM(sessions)/ 1000 / 1000.0,2) as sessions_M\nFROM\n\tapplication_protocol_stat\nWHERE\n\t__time >= '{{start_time}}'\n\tand __time < '{{end_time}}' and protocol_stack_id='ETHERNET'\ngroup by\n\t{{P1D_TIME}}\norder by\n\tstat_time" - } - ] - } - }, - "response": [] - }, - { - "name": "Throughput of closed sessions", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=SELECT\n\t{{P1D_RECV_TIME}} as stat_time,\n\tround(SUM(common_c2s_pkt_num + common_s2c_pkt_num)/1000/1000,2) as packets_M,\n\tround(SUM(common_c2s_byte_num + common_s2c_byte_num)/1024/1024/1024,2) as bytes_GB,\n\tround(SUM(common_sessions)/1000/1000,2) as sessions_M\nFROM\n\tsession_record sr\nWHERE\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}')\n\tand common_recv_time < UNIX_TIMESTAMP('{{end_time}}')\ngroup by\n\t{{P1D_RECV_TIME}}\norder by\n\tstat_time\n\t", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "query", - "value": "SELECT\n\t{{P1D_RECV_TIME}} as stat_time,\n\tround(SUM(common_c2s_pkt_num + common_s2c_pkt_num)/1000/1000,2) as packets_M,\n\tround(SUM(common_c2s_byte_num + common_s2c_byte_num)/1024/1024/1024,2) as bytes_GB,\n\tround(SUM(common_sessions)/1000/1000,2) as sessions_M\nFROM\n\tsession_record sr\nWHERE\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}')\n\tand common_recv_time < UNIX_TIMESTAMP('{{end_time}}')\ngroup by\n\t{{P1D_RECV_TIME}}\norder by\n\tstat_time\n\t" - } - ] - } - }, - "response": [] - }, - { - "name": "Throughput of interim sessions", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select stat_time, sum(packets_M) as packets_M, sum(bytes_GB) as byets_GB from (SELECT\n\t{{P1D_RECV_TIME}} as stat_time,\t\n\tround(SUM(common_c2s_pkt_diff + common_s2c_pkt_diff)/1000/1000,2) as packets_M,\n\tround(SUM(common_c2s_byte_diff + common_s2c_byte_diff)/1024/1024/1024,2) as bytes_GB\nFROM\n\tsession_record sr\nWHERE\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}')\n\tand common_recv_time < UNIX_TIMESTAMP('{{end_time}}')\ngroup by\n\t{{P1D_RECV_TIME}}\norder by\n\tstat_time\n\tunion all SELECT\n\t{{P1D_RECV_TIME}} as stat_time,\t\n\tround(SUM(common_c2s_pkt_diff + common_s2c_pkt_diff)/1000/1000,2) as packets_M,\n\tround(SUM(common_c2s_byte_diff + common_s2c_byte_diff)/1024/1024/1024,2) as bytes_GB\nFROM\n\tinterim_session_record sr\nWHERE\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}')\n\tand common_recv_time < UNIX_TIMESTAMP('{{end_time}}')\ngroup by\n\t{{P1D_RECV_TIME}}\norder by\n\tstat_time) group by stat_time order by stat_time\t", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "query", - "value": "select stat_time, sum(packets_M) as packets_M, sum(bytes_GB) as byets_GB from (SELECT\n\t{{P1D_RECV_TIME}} as stat_time,\t\n\tround(SUM(common_c2s_pkt_diff + common_s2c_pkt_diff)/1000/1000,2) as packets_M,\n\tround(SUM(common_c2s_byte_diff + common_s2c_byte_diff)/1024/1024/1024,2) as bytes_GB\nFROM\n\tsession_record sr\nWHERE\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}')\n\tand common_recv_time < UNIX_TIMESTAMP('{{end_time}}')\ngroup by\n\t{{P1D_RECV_TIME}}\norder by\n\tstat_time\n\tunion all SELECT\n\t{{P1D_RECV_TIME}} as stat_time,\t\n\tround(SUM(common_c2s_pkt_diff + common_s2c_pkt_diff)/1000/1000,2) as packets_M,\n\tround(SUM(common_c2s_byte_diff + common_s2c_byte_diff)/1024/1024/1024,2) as bytes_GB\nFROM\n\tinterim_session_record sr\nWHERE\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}')\n\tand common_recv_time < UNIX_TIMESTAMP('{{end_time}}')\ngroup by\n\t{{P1D_RECV_TIME}}\norder by\n\tstat_time) group by stat_time order by stat_time\t" - } - ] - } - }, - "response": [] - }, - { - "name": "ClickHouse Uncategorized Traffic", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=SELECT round(SUM(common_c2s_byte_num+common_s2c_byte_num)/1024/1024,2) as uncategorized_bytes_mb FROM session_record sr WHERE common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time < UNIX_TIMESTAMP('{{end_time}}') AND common_app_label= 'unknown'", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "query", - "value": "SELECT round(SUM(common_c2s_byte_num+common_s2c_byte_num)/1024/1024,2) as uncategorized_bytes_mb FROM session_record sr WHERE common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time < UNIX_TIMESTAMP('{{end_time}}') AND common_app_label= 'unknown'" - } - ] - } - }, - "response": [] - } - ] - }, - { - "name": "Duplicate logs Assessment", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query=select 'Session Records' as type, count(*) as num from (select common_log_id,count(*) as num from session_record where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1) union all select 'Security Events' as type, count(*) as num from (select common_log_id,count(*) as num from security_event where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1) union all select 'Proxy Events' as type, count(*) as num from (select common_log_id,count(*) as num from proxy_event where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1)", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "select 'Session Records' as type, count(*) as num from (select common_log_id,count(*) as num from session_record where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1) union all select 'Security Events' as type, count(*) as num from (select common_log_id,count(*) as num from security_event where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1) union all select 'Proxy Events' as type, count(*) as num from (select common_log_id,count(*) as num from proxy_event where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1)" - } - ] - } - }, - "response": [] - }, - { - "name": "Traffic Summary for Reporting", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query=select \n COUNT(DISTINCT(device_id)) as device_num,\n sum(sum_bytes) as total_bytes_transferred,\n sum(sum_pkts) as total_packets_transferred,\n sum(sum_sessions) as total_new_sessions ,\n sum(sum_closed_sessions) as total_closed_sessions,\n sum(sum_sessions)/86400 as avg_new_sessions_per_second,\n sum(sum_bytes)*8/86400as avg_bits_per_second,\n sum(sum_pkts)/86400 as avg_packets_per_second,\n sum(avg_active_sessions) as avg_active_sessions,\n round(CASE WHEN sum(sum_closed_sessions) = 0 THEN 0 ELSE sum(sum_asymmetric_flows) * 1.0 / sum(sum_closed_sessions) END, 4) * 100 as percent_asymmetric_flows\n from\n ( select\n device_id,\n vsys_id,\n sum(in_bytes + out_bytes) as sum_bytes,\n sum(in_pkts + out_pkts) as sum_pkts,\n sum(sessions) as sum_sessions,\n sum(closed_sessions) as sum_closed_sessions,\n avg(active_sessions) as avg_active_sessions,\n sum(asymmetric_c2s_flows+asymmetric_s2c_flows) as sum_asymmetric_flows\n from \n traffic_general_stat \n where\n __time >= '{{start_time}}'\n\t\tand __time <'{{end_time}}'\n and vsys_id in (1,2,3,4,5)\n group by\n device_id, vsys_id\n ) ", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "select \n COUNT(DISTINCT(device_id)) as device_num,\n sum(sum_bytes) as total_bytes_transferred,\n sum(sum_pkts) as total_packets_transferred,\n sum(sum_sessions) as total_new_sessions ,\n sum(sum_closed_sessions) as total_closed_sessions,\n sum(sum_sessions)/86400 as avg_new_sessions_per_second,\n sum(sum_bytes)*8/86400as avg_bits_per_second,\n sum(sum_pkts)/86400 as avg_packets_per_second,\n sum(avg_active_sessions) as avg_active_sessions,\n round(CASE WHEN sum(sum_closed_sessions) = 0 THEN 0 ELSE sum(sum_asymmetric_flows) * 1.0 / sum(sum_closed_sessions) END, 4) * 100 as percent_asymmetric_flows\n from\n ( select\n device_id,\n vsys_id,\n sum(in_bytes + out_bytes) as sum_bytes,\n sum(in_pkts + out_pkts) as sum_pkts,\n sum(sessions) as sum_sessions,\n sum(closed_sessions) as sum_closed_sessions,\n avg(active_sessions) as avg_active_sessions,\n sum(asymmetric_c2s_flows+asymmetric_s2c_flows) as sum_asymmetric_flows\n from \n traffic_general_stat \n where\n __time >= '{{start_time}}'\n\t\tand __time <'{{end_time}}'\n and vsys_id in (1,2,3,4,5)\n group by\n device_id, vsys_id\n ) " - } - ] - } - }, - "response": [] - }, - { - "name": "Traffic in Bits/s for Reporting", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query=select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time ,\n avg(sum_in_bytes)*8/30 as avg_in_bits_per_sec,\n avg(sum_out_bytes)*8/30 as avg_out_bits_per_sec,\n avg(sum_bytes)*8/30 as avg_bits_per_sec\nfrom\n (\n select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')) as stat_time,\n sum(in_bytes) as sum_in_bytes,\n sum(out_bytes) as sum_out_bytes,\n sum(in_bytes + out_bytes) as sum_bytes\n from\n traffic_general_stat\n where\n __time >= '{{start_time}}' and __time < '{{end_time}}'\n and vsys_id in (1,2,3,4,5)\n group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')))\ngroup by\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) \norder by stat_time asc\nlimit 1000", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time ,\n avg(sum_in_bytes)*8/30 as avg_in_bits_per_sec,\n avg(sum_out_bytes)*8/30 as avg_out_bits_per_sec,\n avg(sum_bytes)*8/30 as avg_bits_per_sec\nfrom\n (\n select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')) as stat_time,\n sum(in_bytes) as sum_in_bytes,\n sum(out_bytes) as sum_out_bytes,\n sum(in_bytes + out_bytes) as sum_bytes\n from\n traffic_general_stat\n where\n __time >= '{{start_time}}' and __time < '{{end_time}}'\n and vsys_id in (1,2,3,4,5)\n group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')))\ngroup by\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) \norder by stat_time asc\nlimit 1000" - } - ] - } - }, - "response": [] - }, - { - "name": "New Sessions/s for Reporting", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query=select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time ,\n avg(sum_sessions)/30 as avg_sessions_per_sec\nfrom\n (\n select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')) as stat_time,\n sum(sessions) as sum_sessions\n from\n traffic_general_stat\n where\n __time >= '{{start_time}}' and __time < '{{end_time}}'\n and vsys_id in (1,2,3,4,5)\n group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')))\ngroup by\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero'))\norder by stat_time asc\nlimit 1000", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time ,\n avg(sum_sessions)/30 as avg_sessions_per_sec\nfrom\n (\n select\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')) as stat_time,\n sum(sessions) as sum_sessions\n from\n traffic_general_stat\n where\n __time >= '{{start_time}}' and __time < '{{end_time}}'\n and vsys_id in (1,2,3,4,5)\n group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT1S')))\ngroup by\n FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero'))\norder by stat_time asc\nlimit 1000" - } - ] - } - }, - "response": [] - }, - { - "name": "Traffic by Session Records", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select\n\t{{PT30S_RECV_TIME}} as stat_time,\n\tround(sum(common_c2s_byte_num)*8/30/1000/1000,2) as Bytes_Sent_Mbps,\n\tround(sum(common_s2c_byte_num)*8/30/1000/1000,2) as Bytes_Received_Mbps,\n\tround(sum(common_c2s_byte_num + common_s2c_byte_num)*8/30/1000/1000,2) as Mbps,\n\tround(sum(common_c2s_pkt_num + common_s2c_pkt_num)/30/1000,2) as Kpps,\n\tround(sum(common_sessions)/30/1000,2) as \"Ksessions/s\"\nfrom\n\tsession_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 3, common_sessions, 0)) as one_side_sessions,\n round(one_side_sessions/sessions, 2) as one_side_percent\nfrom\n\tsession_record crl \nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 5 Minutes Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "select {{Last 5 Minutes Start}} as start_time, {{now}} as end_time, sum(common_sessions) as sessions,\n sum(if(common_stream_dir <> 3, common_sessions, 0)) as one_side_sessions,\n round(one_side_sessions/sessions, 2) as one_side_percent\nfrom\n\tsession_record crl \nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 5 Minutes Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\n" - } - ] - } - }, - "response": [] - }, - { - "name": "Uniq Client IPs For pinning", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "tests[\"Successful POST request\"] = responseCode.code === 200 || responseCode.code === 201;" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query=select\n\tstat_time,\n\tuniq(common_client_ip) as client_ips\nfrom\n\t(\n\tselect\n\t\ttoDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 3600)* 3600) as stat_time, \n\t\tcommon_client_ip, \n\t\tcount(*) as hits\n\tfrom\n\t\tproxy_event\n\twhere common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 10 )\ngroup by\n\tstat_time\norder by\n\tstat_time", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "select\n\tstat_time,\n\tuniq(common_client_ip) as client_ips\nfrom\n\t(\n\tselect\n\t\ttoDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 3600)* 3600) as stat_time, \n\t\tcommon_client_ip, \n\t\tcount(*) as hits\n\tfrom\n\t\tproxy_event\n\twhere common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 10 )\ngroup by\n\tstat_time\norder by\n\tstat_time" - } - ] - } - }, - "response": [] - }, - { - "name": "Top frequent elements in FQDN Category", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "tests[\"Successful POST request\"] = responseCode.code === 200 || responseCode.code === 201;" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query=select\n\titem,\n\tsum(count) as count\nfrom\n\t(\n\tselect\n\t\tarrayJoin(items) as item,\n\t\tcount\n\tfrom\n\t\t(\n\t\tselect\n\t\t\tcommon_service_category as items,\n\t\t\tcount(*) as count\n\t\tfrom\n\t\t\tsession_record sr\n\t\twhere common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP(now())-86400\n and common_recv_time= UNIX_TIMESTAMP(now())-86400\n and common_recv_time= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 100\norder by\n\tports_num desc limit 50", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": "\nselect\n\tcommon_server_ip,\n\tgroupUniqArray(common_server_port) as ports,\n\tif(notEmpty(ports),length(ports),0) as ports_num\nfrom\n\tsession_record crl\nwhere \tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 100\norder by\n\tports_num desc limit 50" - } - ] - } - }, - "response": [] - }, - { - "name": "Validate Session Index Tables", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "request": { - "method": "GET", - "header": [], - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}?query= select 'Total' as type, count(*) as logs from session_record where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\nunion all \nselect 'Client IP' as type, count(*) as logs from session_record_common_client_ip where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\nunion all\nselect 'Server IP' as type, count(*) as logs from session_record_common_server_ip where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\nunion all\nselect 'Domain' as type, count(*) as logs from session_record_common_server_domain where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "query": [ - { - "key": "query", - "value": " select 'Total' as type, count(*) as logs from session_record where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\nunion all \nselect 'Client IP' as type, count(*) as logs from session_record_common_client_ip where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\nunion all\nselect 'Server IP' as type, count(*) as logs from session_record_common_server_ip where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\nunion all\nselect 'Domain' as type, count(*) as logs from session_record_common_server_domain where\n\tcommon_recv_time >= UNIX_TIMESTAMP({{Last 24 Hour Start}})\n\tand common_recv_time < UNIX_TIMESTAMP({{now}})\n" - } - ] - } - }, - "response": [] - } - ] - }, - { - "name": "Domain Drill Down", - "item": [ - { - "name": "Domain Entity", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select FROM_UNIXTIME(min(common_recv_time)) as \"First Seen\" , groupUniqArray(common_l7_protocol) as protocols,FROM_UNIXTIME(max(common_recv_time)) as \"Last Seen\" , median(http_response_latency_ms) as \"Server Processing Time Median(ms)\", count(1) as Responses,round(sum(common_c2s_byte_num+common_s2c_byte_num)/1024/1024/1024,2) as bytes, any(common_server_location) as Location from session_record where common_server_domain='{{domain}}' and common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\ngroup by\n\tdns_qname\norder by\n\terros desc\nlimit 50\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "select\n\tdns_qname,\n\tcount(1) as erros,\n\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\ngroup by\n\tdns_qname\norder by\n\terros desc\nlimit 50\n" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS server ip", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select\n\tcommon_server_ip,\n\tany(common_server_location) as location,\n\tcount(1) as requests,\n\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\ngroup by\n\tcommon_server_ip\norder by\n\terros desc\nlimit 50\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "select\n\tcommon_server_ip,\n\tany(common_server_location) as location,\n\tcount(1) as erros,\n\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\ngroup by\n\tcommon_server_ip\norder by\n\terros desc\nlimit 50\n" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS IP Conversations With Highest Errors", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select\n\tcommon_client_ip,\n\tcommon_server_ip,\n\tcount(1) as erros,\n\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\ngroup by\n\tcommon_client_ip,\n\tcommon_server_ip\norder by\n\terros desc\nlimit 50\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "select\n\tcommon_client_ip,\n\tcommon_server_ip,\n\tcount(1) as erros,\n\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\ngroup by\n\tcommon_client_ip,\n\tcommon_server_ip\norder by\n\terros desc\nlimit 50\n" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS Requests With Highes Erros", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select common_client_ip, \n\t\tcommon_server_ip,(CASE\n\t\tWHEN dns_rcode = 0 THEN 'No error'\n\t\tWHEN dns_rcode = 1 THEN 'Format error'\n\t\tWHEN dns_rcode = 2 THEN 'Server failure'\n\t\tWHEN dns_rcode = 3 THEN 'Name Error'\n\t\tWHEN dns_rcode = 4 THEN 'Not Implemented'\n\t\tWHEN dns_rcode = 5 THEN 'Refused'\n\t\tWHEN dns_rcode = 6 THEN 'YXDomain'\n\t\tWHEN dns_rcode = 7 THEN 'YXRRSet'\n\t\tWHEN dns_rcode = 8 THEN 'NXRRSet'\n\t\tWHEN dns_rcode = 9 THEN 'NotAuth'\n\t\tWHEN dns_rcode = 10 THEN 'NotZone'\n\t\tELSE 'Other' END) as \"Response Code\",\n\t\tdns_qname,\n\t\tcount(1) as erros,\n\t\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets \nfrom transaction_record \nwhere common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0 \ngroup by common_client_ip,common_server_ip,dns_rcode,dns_qname order by erros desc limit 50", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "select common_client_ip, \n\t\tcommon_server_ip,(CASE\n\t\tWHEN dns_rcode = 0 THEN 'No error'\n\t\tWHEN dns_rcode = 1 THEN 'Format error'\n\t\tWHEN dns_rcode = 2 THEN 'Server failure'\n\t\tWHEN dns_rcode = 3 THEN 'Name Error'\n\t\tWHEN dns_rcode = 4 THEN 'Not Implemented'\n\t\tWHEN dns_rcode = 5 THEN 'Refused'\n\t\tWHEN dns_rcode = 6 THEN 'YXDomain'\n\t\tWHEN dns_rcode = 7 THEN 'YXRRSet'\n\t\tWHEN dns_rcode = 8 THEN 'NXRRSet'\n\t\tWHEN dns_rcode = 9 THEN 'NotAuth'\n\t\tWHEN dns_rcode = 10 THEN 'NotZone'\n\t\tELSE 'Other' END) as \"Response Code\",\n\t\tdns_qname,\n\t\tcount(1) as erros,\n\t\tsum(common_c2s_byte_diff+common_s2c_byte_diff) as total_bytes,\n\tsum(common_c2s_pkt_diff+common_s2c_pkt_diff) as total_packets,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets \nfrom transaction_record \nwhere common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0 \ngroup by common_client_ip,common_server_ip,dns_rcode,dns_qname order by erros desc limit 50" - } - ] - } - }, - "response": [] - } - ] - }, - { - "name": "DNS Resolver Amplification Attack", - "item": [ - { - "name": "DNS Resolvers", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=SELECT\n\tcount(*) as requests,\n\tuniq(common_client_ip) as client_ips,\n\tsum(common_c2s_byte_diff) as request_bytes,\n\tsum(common_s2c_byte_diff) as response_bytes,\n\tsum(common_c2s_pkt_diff) request_packets,\n\tsum(common_s2c_pkt_diff) as response_packets,\n\tround((response_bytes / if(request_bytes >0,request_bytes,1)),2) as byte_ratio,\n\tcommon_server_ip\nfrom\n\ttransaction_record rc\nwhere\n common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1500\n\tand common_c2s_byte_diff>0\n\tand round((common_s2c_byte_diff / if(common_c2s_byte_diff >0,common_c2s_byte_diff,1)),2) >20\n\tand common_c2s_pkt_diff = 1\n\tand common_s2c_pkt_diff =1\ngroup by\n\tcommon_server_ip\norder by\n\trequests desc", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "SELECT\n\tcount(*) as requests,\n\tuniq(common_client_ip) as client_ips,\n\tsum(common_c2s_byte_diff) as request_bytes,\n\tsum(common_s2c_byte_diff) as response_bytes,\n\tsum(common_c2s_pkt_diff) request_packets,\n\tsum(common_s2c_pkt_diff) as response_packets,\n\tround((response_bytes / if(request_bytes >0,request_bytes,1)),2) as byte_ratio,\n\tcommon_server_ip\nfrom\n\ttransaction_record rc\nwhere\n common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1500\n\tand common_c2s_byte_diff>0\n\tand round((common_s2c_byte_diff / if(common_c2s_byte_diff >0,common_c2s_byte_diff,1)),2) >20\n\tand common_c2s_pkt_diff = 1\n\tand common_s2c_pkt_diff =1\ngroup by\n\tcommon_server_ip\norder by\n\trequests desc" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS Resolver Amlif Times", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?=&query=\nselect\n\tcount(*) as sessions,\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff <= 1, 1, 0)) as \"1 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 1 and common_s2c_byte_diff / common_c2s_byte_diff <= 5, 1, 0)) as \"1-5 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 5 and common_s2c_byte_diff / common_c2s_byte_diff <= 10, 1, 0)) as \"5-10 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 10 and common_s2c_byte_diff / common_c2s_byte_diff <= 20, 1, 0)) as \"10-20 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 20 and common_s2c_byte_diff / common_c2s_byte_diff <= 50, 1, 0)) as \"20-50 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 50 and common_s2c_byte_diff / common_c2s_byte_diff <= 100, 1, 0)) as \"50-100 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 100, 1, 0)) as \"100 times\"\nfrom\n\t\ttransaction_record as rc\nwhere\n common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\tand common_s2c_byte_diff>0\n\tand common_c2s_pkt_diff =1\n\tand common_s2c_pkt_diff =1\n\tand common_server_port = 53\n\tand common_schema_type = 'DNS'\n\tand common_server_ip = '60.13.251.208'\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "", - "value": "" - }, - { - "key": "query", - "value": "\nselect\n\tcount(*) as sessions,\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff <= 1, 1, 0)) as \"1 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 1 and common_s2c_byte_diff / common_c2s_byte_diff <= 5, 1, 0)) as \"1-5 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 5 and common_s2c_byte_diff / common_c2s_byte_diff <= 10, 1, 0)) as \"5-10 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 10 and common_s2c_byte_diff / common_c2s_byte_diff <= 20, 1, 0)) as \"10-20 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 20 and common_s2c_byte_diff / common_c2s_byte_diff <= 50, 1, 0)) as \"20-50 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 50 and common_s2c_byte_diff / common_c2s_byte_diff <= 100, 1, 0)) as \"50-100 times\",\n\tsum(if(common_s2c_byte_diff / common_c2s_byte_diff > 100, 1, 0)) as \"100 times\"\nfrom\n\t\ttransaction_record as rc\nwhere\n common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\tand common_s2c_byte_diff>0\n\tand common_c2s_pkt_diff =1\n\tand common_s2c_pkt_diff =1\n\tand common_server_port = 53\n\tand common_schema_type = 'DNS'\n\tand common_server_ip = '60.13.251.208'\n" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS Resolver Metrics trend", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?=&query=\nselect \n\ttoDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 1800)* 1800) as stat_time,\n\tuniq(dns_qname) as uniq_qnames,\n\tuniq(common_client_ip) as uniq_client_ips,\n\tround(sum(common_c2s_byte_diff+common_s2c_byte_diff)*8/1800/1000/1000,2) as \"Mbps\",\n\tround(sum(common_c2s_byte_diff)*8/1800/1000/1000,2) as \"Request Mbps\",\n\tround(sum(common_s2c_byte_diff)*8/1800/1000/1000,2) as \"Response Mbps\",\n\tround(sum(common_c2s_pkt_diff+common_s2c_pkt_diff)/1800/1000,2) as \"Kpps\",\n\tround(sum(common_c2s_pkt_diff)/1800/1000,2) as \"Request Kpps\",\n\tround(sum(common_s2c_pkt_diff)/1800/1000,2) as \"Response Kpps\",\n\tround(count(*)/1800,2) as \"sessions/s\"\nfrom\n\ttransaction_record as ss\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\tand common_s2c_byte_diff>0\n\tand common_c2s_pkt_diff =1\n\tand common_s2c_pkt_diff =1\n\tand common_server_port = 53\n\tand common_schema_type = 'DNS'\n\tand common_server_ip = '60.13.217.234'\ngroup by stat_time \norder by stat_time asc\n", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "", - "value": "" - }, - { - "key": "query", - "value": "\nselect \n\ttoDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 1800)* 1800) as stat_time,\n\tuniq(dns_qname) as uniq_qnames,\n\tuniq(common_client_ip) as uniq_client_ips,\n\tround(sum(common_c2s_byte_diff+common_s2c_byte_diff)*8/1800/1000/1000,2) as \"Mbps\",\n\tround(sum(common_c2s_byte_diff)*8/1800/1000/1000,2) as \"Request Mbps\",\n\tround(sum(common_s2c_byte_diff)*8/1800/1000/1000,2) as \"Response Mbps\",\n\tround(sum(common_c2s_pkt_diff+common_s2c_pkt_diff)/1800/1000,2) as \"Kpps\",\n\tround(sum(common_c2s_pkt_diff)/1800/1000,2) as \"Request Kpps\",\n\tround(sum(common_s2c_pkt_diff)/1800/1000,2) as \"Response Kpps\",\n\tround(count(*)/1800,2) as \"sessions/s\"\nfrom\n\ttransaction_record as ss\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\tand common_s2c_byte_diff>0\n\tand common_c2s_pkt_diff =1\n\tand common_s2c_pkt_diff =1\n\tand common_server_port = 53\n\tand common_schema_type = 'DNS'\n\tand common_server_ip = '60.13.217.234'\ngroup by stat_time \norder by stat_time asc\n" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS Resolver rcode", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?=&query=select\n\t(CASE\n\t\tWHEN dns_rcode = 0 THEN 'No error'\n\t\tWHEN dns_rcode = 1 THEN 'Format error'\n\t\tWHEN dns_rcode = 2 THEN 'Server failure'\n\t\tWHEN dns_rcode = 3 THEN 'Name Error'\n\t\tWHEN dns_rcode = 4 THEN 'Not Implemented'\n\t\tWHEN dns_rcode = 5 THEN 'Refused'\n\t\tWHEN dns_rcode = 6 THEN 'YXDomain'\n\t\tWHEN dns_rcode = 7 THEN 'YXRRSet'\n\t\tWHEN dns_rcode = 8 THEN 'NXRRSet'\n\t\tWHEN dns_rcode = 9 THEN 'NotAuth'\n\t\tWHEN dns_rcode = 10 THEN 'NotZone'\n\t\tELSE 'Other' END) as \"Response Code\",\n\tdns_rcode,\n\tcount(1) as requests,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets,\n\tmax(common_c2s_byte_diff) as max_request_bytes,\n\tmax(common_s2c_byte_diff) as max_response_bytes,\n\tavg(common_c2s_byte_diff) as avg_request_bytes,\n\tavg(common_s2c_byte_diff) as avg_response_bytes,\n\tmedian(common_c2s_byte_diff) as median_request_bytes,\n\tmedian(common_s2c_byte_diff) as median_response_bytes\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0,request_bytes,1)),2) as byte_ratio,\n\tcommon_client_ip\nfrom\n\ttransaction_record\nwhere \n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1500\n\tand common_c2s_byte_diff>0\n\tand round((common_s2c_byte_diff / if(common_c2s_byte_diff >0,common_c2s_byte_diff,1)),2) >20\n\tand common_c2s_pkt_diff = 1\n\tand common_s2c_pkt_diff =1 \ngroup by\n\tcommon_client_ip\norder by\n\tbyte_ratio desc\nlimit 10", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "SELECT\n\tcount(*) as requests,\n\tuniq(common_client_ip) as client_ips,\n\tsum(common_c2s_byte_diff) as request_bytes,\n\tsum(common_s2c_byte_diff) as response_bytes,\n\tsum(common_c2s_pkt_diff) request_packets,\n\tsum(common_s2c_pkt_diff) as response_packets,\n\tround((response_bytes / if(request_bytes >0,request_bytes,1)),2) as byte_ratio,\n\tcommon_client_ip\nfrom\n\ttransaction_record\nwhere \n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1500\n\tand common_c2s_byte_diff>0\n\tand round((common_s2c_byte_diff / if(common_c2s_byte_diff >0,common_c2s_byte_diff,1)),2) >20\n\tand common_c2s_pkt_diff = 1\n\tand common_s2c_pkt_diff =1 \ngroup by\n\tcommon_client_ip\norder by\n\tbyte_ratio desc\nlimit 10" - } - ] - } - }, - "response": [] - }, - { - "name": "DNS Resolvers by Victim IP", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?=&query=SELECT\n\tcount(1) as requests,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets,\n\tmax(common_c2s_byte_diff) as max_request_bytes,\n\tmax(common_s2c_byte_diff) as max_response_bytes,\n\tavg(common_c2s_byte_diff) as avg_request_bytes,\n\tavg(common_s2c_byte_diff) as avg_response_bytes,\n\tmedian(common_c2s_byte_diff) as median_request_bytes,\n\tmedian(common_s2c_byte_diff) as median_response_bytes,\n\tcommon_server_ip,\n\tgroupUniqArray(common_server_port) as ports,\n\tany(common_server_location) as server_location\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 1 and byte_ratio <= 5, 1, 0)) as \"1-5 times\",\n\tsum(if(byte_ratio > 5 and byte_ratio <= 10, 1, 0)) as \"5-10 times\",\n\tsum(if(byte_ratio > 10 and byte_ratio <= 20, 1, 0)) as \"10-20 times\",\n\tsum(if(byte_ratio > 20 and byte_ratio <= 50, 1, 0)) as \"20-50 times\",\n\tsum(if(byte_ratio > 50 and byte_ratio <= 100, 1, 0)) as \"50-100 times\",\n\tsum(if(byte_ratio > 100, 1, 0)) as \"100 times\"\nfrom\n\t(\n\tSELECT\n\t\tcommon_server_ip,\n\t\tmedian(common_s2c_byte_diff / common_c2s_byte_diff) as byte_ratio,\n\t\tcount(*) as sessions\n\tfrom\n\t\ttransaction_record\n\twhere\n\t\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\t\tand common_s2c_byte_diff>0\n\t\tand common_c2s_pkt_diff =1\n\t\tand common_s2c_pkt_diff =1\n\t\tand common_server_port = 53\n\t\tand common_schema_type = 'DNS'\n\tgroup by\n\t\tcommon_server_ip\n)", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "", - "value": "" - }, - { - "key": "query", - "value": "\nselect\n\tcount(*) as ips,\n\tsum(if(byte_ratio <= 1, 1, 0)) as \"1 times\",\n\tsum(if(byte_ratio > 1 and byte_ratio <= 5, 1, 0)) as \"1-5 times\",\n\tsum(if(byte_ratio > 5 and byte_ratio <= 10, 1, 0)) as \"5-10 times\",\n\tsum(if(byte_ratio > 10 and byte_ratio <= 20, 1, 0)) as \"10-20 times\",\n\tsum(if(byte_ratio > 20 and byte_ratio <= 50, 1, 0)) as \"20-50 times\",\n\tsum(if(byte_ratio > 50 and byte_ratio <= 100, 1, 0)) as \"50-100 times\",\n\tsum(if(byte_ratio > 100, 1, 0)) as \"100 times\"\nfrom\n\t(\n\tSELECT\n\t\tcommon_server_ip,\n\t\tmedian(common_s2c_byte_diff / common_c2s_byte_diff) as byte_ratio,\n\t\tcount(*) as sessions\n\tfrom\n\t\ttransaction_record\n\twhere\n\t\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\t\tand common_s2c_byte_diff>0\n\t\tand common_c2s_pkt_diff =1\n\t\tand common_s2c_pkt_diff =1\n\t\tand common_server_port = 53\n\t\tand common_schema_type = 'DNS'\n\tgroup by\n\t\tcommon_server_ip\n)" - } - ] - } - }, - "response": [] - }, - { - "name": "Ampli Attack Country Distribution", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?=&query=SELECT\n\tarrayElement(splitByString(',',common_server_location),length(splitByString(',',common_server_location))) as server_location,\n\tcount(*) as ips\nfrom\n\t(\n\tSELECT\n\t\tcommon_server_ip,\n\t\tany(common_server_location) as common_server_location,\n\t\tmedian(common_s2c_byte_diff / common_c2s_byte_diff) as byte_ratio,\n\t\tcount(*) as sessions\n\tfrom\n\t\ttransaction_record\n\twhere\n\t\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\t\tand common_s2c_byte_diff>0\n\t\tand common_c2s_pkt_diff =1\n\t\tand common_s2c_pkt_diff =1\n\t\tand common_server_port = 53\n\t\tand common_schema_type = 'DNS'\n\tgroup by\n\t\tcommon_server_ip\n\thaving\n\t\tbyte_ratio > 20\n)\ngroup by\n\tserver_location\norder by\n\tips desc", - "protocol": "http", - "host": [ - "{{qgw_ip}}" - ], - "port": "{{qgw_port}}", - "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "", - "value": "" - }, - { - "key": "query", - "value": "SELECT\n\tarrayElement(splitByString(',',common_server_location),length(splitByString(',',common_server_location))) as server_location,\n\tcount(*) as ips\nfrom\n\t(\n\tSELECT\n\t\tcommon_server_ip,\n\t\tany(common_server_location) as common_server_location,\n\t\tmedian(common_s2c_byte_diff / common_c2s_byte_diff) as byte_ratio,\n\t\tcount(*) as sessions\n\tfrom\n\t\ttransaction_record\n\twhere\n\t\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time 0\n\t\tand common_s2c_byte_diff>0\n\t\tand common_c2s_pkt_diff =1\n\t\tand common_s2c_pkt_diff =1\n\t\tand common_server_port = 53\n\t\tand common_schema_type = 'DNS'\n\tgroup by\n\t\tcommon_server_ip\n\thaving\n\t\tbyte_ratio > 20\n)\ngroup by\n\tserver_location\norder by\n\tips desc" - } - ] - } - }, - "response": [] - } - ] - }, - { - "name": "DNS NXDOMAIN Flood", - "item": [ - { - "name": "DNS Proxy Server", - "event": [ - { - "listen": "test", - "script": { - "exec": [ - "pm.test(\"Status code is 200\", function () {", - " pm.response.to.have.status(200);", - "});" - ], - "type": "text/javascript" - } - } - ], - "protocolProfileBehavior": { - "disableBodyPruning": true - }, - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "formdata", - "formdata": [] - }, - "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/?query=select \n\tcount(1) as requests,\n\tsum(common_c2s_byte_diff) as total_request_bytes,\n\tsum(common_s2c_byte_diff) as total_response_bytes,\n\tsum(common_c2s_pkt_diff) as total_request_packets,\n\tsum(common_s2c_pkt_diff) as total_response_packets,\n\tmax(common_c2s_byte_diff) as max_request_bytes,\n\tmax(common_s2c_byte_diff) as max_response_bytes,\n\tavg(common_c2s_byte_diff) as avg_request_bytes,\n\tavg(common_s2c_byte_diff) as avg_response_bytes,\n\tmedian(common_c2s_byte_diff) as median_request_bytes,\n\tmedian(common_s2c_byte_diff) as median_response_bytes,\n\tcommon_server_ip\nfrom\n\ttransaction_record\nwhere\n\tcommon_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"SELECT FROM_UNIXTIME(recv_time) as recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, shaping_rule_list, proxy_rule_list, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path,ip_protocol, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -2755,7 +232,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, shaping_rule_list, proxy_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, security_mirrored_pkts, security_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM security_event AS security_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, shaping_rule_list, proxy_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, ip_protocol,dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM security_event AS security_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -2884,7 +361,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT5M')) as stat_time, security_action as type, count(*) as events from security_event where recv_time > FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and vsys_id in (1,2,3,4) group by stat_time, security_action order by stat_time asc\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT5M','zero')) as stat_time, security_action as type, count(*) as events from security_event where recv_time > FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and vsys_id in (1,2,3,4) group by stat_time, security_action order by stat_time asc\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -2979,7 +456,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, shaping_rule_list, proxy_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, security_mirrored_pkts, security_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM security_event AS monitor_event WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, shaping_rule_list, proxy_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path,ip_protocol, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM security_event AS monitor_event WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -3083,7 +560,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, shaping_rule_list, proxy_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, security_mirrored_pkts, security_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM voip_record AS voip_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"select recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, shaping_rule_list, proxy_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM voip_record AS voip_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -3316,7 +793,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT5M')) as stat_time, decoded_as as type, count(1) as sessions, sum(sent_bytes + received_bytes) as bytes, sum(sent_pkts + received_pkts) as packets from session_record where recv_time > FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and vsys_id in (1,2,3,4) group by stat_time, decoded_as order by stat_time asc\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(recv_time,'PT5M','zero')) as stat_time, decoded_as as type, count(1) as sessions, sum(sent_bytes + received_bytes) as bytes, sum(sent_pkts + received_pkts) as packets from session_record where recv_time > FROM_UNIXTIME(UNIX_TIMESTAMP(now())-3600) and vsys_id in (1,2,3,4) group by stat_time, decoded_as order by stat_time asc\" ,\n \"exec_mode\":\"oneshot\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -6655,7 +4132,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, avg(in_bytes)* 8 / 30 as avg_in_bits_per_sec, sum(out_bytes) as out_bytes, avg(out_bytes)* 8 / 30 as avg_out_bits_per_sec, sum(bytes) as bytes, avg(bytes)* 8 / 30 as avg_bits_per_sec, sum(new_in_sessions) as new_in_sessions, avg(new_in_sessions)/ 30 as avg_new_in_sessions_per_sec, sum(new_out_sessions) as new_out_sessions, avg(new_out_sessions)/ 30 as avg_new_out_sessions_per_sec, sum(sessions) as sessions, avg(sessions)/ 30 as avg_sessions_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and object_id = 1 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", + "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, avg(in_bytes)* 8 / 30 as avg_in_bits_per_sec, sum(out_bytes) as out_bytes, avg(out_bytes)* 8 / 30 as avg_out_bits_per_sec, sum(bytes) as bytes, avg(bytes)* 8 / 30 as avg_bits_per_sec, sum(new_in_sessions) as new_in_sessions, avg(new_in_sessions)/ 30 as avg_new_in_sessions_per_sec, sum(new_out_sessions) as new_out_sessions, avg(new_out_sessions)/ 30 as avg_new_out_sessions_per_sec, sum(sessions) as sessions, avg(sessions)/ 30 as avg_sessions_per_sec from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes, sum(new_in_sessions) as new_in_sessions, sum(new_out_sessions) as new_out_sessions, sum(sessions) as sessions from object_statistics where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) and object_id = 1608661 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", "options": { "raw": { "language": "json" @@ -6774,7 +4251,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and version=1 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT15S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", + "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT15S') as stat_time, sum(in_bytes) as in_bytes, sum(out_bytes) as out_bytes, sum(bytes) as bytes from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) and version=1 group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT15S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", "options": { "raw": { "language": "json" @@ -7002,7 +4479,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select PERCENTILES_HDR(latency_ms_sketch) as histogram_tcp_latency_ms,HDR_GET_QUANTILES(HDR_HISTOGRAM(latency_ms_sketch), 0.5,0.95,0.99) as tcp_latency_quantiles from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and rule_id=1\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", + "raw": "{\n \"statement\" : \"select PERCENTILES_HDR(latency_ms_sketch) as histogram_tcp_latency_ms,HDR_GET_QUANTILES(HDR_HISTOGRAM(latency_ms_sketch), 0.5,0.95,0.99) as tcp_latency_quantiles from statistics_rule where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) and rule_id=397097 and chart_id=8267\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", "options": { "raw": { "language": "json" @@ -7368,7 +4845,7 @@ "response": [] }, { - "name": "Statistics Rule Throughput", + "name": "Statistics Rule Hits Throughput", "event": [ { "listen": "test", @@ -7401,7 +4878,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_in_bytes)*8/30 as avg_in_bits_per_sec, avg(sum_out_bytes)*8/30 as avg_out_bits_per_sec, avg(sum_bytes)*8/30 as avg_bits_per_sec, sum(sum_in_bytes) as total_in_bytes, sum(sum_out_bytes) as total_out_bytes, sum(sum_bytes) as total_bytes from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(in_bytes) as sum_in_bytes, sum(out_bytes) as sum_out_bytes, sum(in_bytes + out_bytes) as sum_bytes from statistics_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1,2,3,4,5,6,7,8) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", + "raw": "{\n \"statement\" : \"select FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) as stat_time , avg(sum_in_bytes)*8/30 as avg_in_bits_per_sec, avg(sum_out_bytes)*8/30 as avg_out_bits_per_sec, avg(sum_bytes)*8/30 as avg_bits_per_sec, sum(sum_in_bytes) as total_in_bytes, sum(sum_out_bytes) as total_out_bytes, sum(sum_bytes) as total_bytes from ( select TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time), 'PT5S') as stat_time, sum(in_bytes) as sum_in_bytes, sum(out_bytes) as sum_out_bytes, sum(in_bytes + out_bytes) as sum_bytes from statistics_rule_hits where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT5S')) group by FROM_UNIXTIME(TIME_FLOOR_WITH_FILL(stat_time, 'PT30S', 'zero')) order by stat_time asc limit 1000\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", "options": { "raw": { "language": "json" @@ -7919,7 +5396,7 @@ "name": "IP Learning", "item": [ { - "name": "ip-learning-fqdn-relate-ips", + "name": "ip-learning-fqdn-relate-ip", "event": [ { "listen": "prerequest", @@ -7952,7 +5429,7 @@ ], "body": { "mode": "raw", - "raw": "{\r\n \"name\": \"ip-learning-fqdn-relate-ip\",\r\n \"filter\" : \"vsys_id in (1,2,3,4,5) AND protocol in ('SSL', 'HTTP','DNS') AND depth=1 and uniq_cip > 12 AND fqdn_name in('google.com', 'itunes.apple.com')\",\r\n \"intervals\":[\"{{start_time}}/{{end_time}}\"],\r\n \"limit\": 100,\r\n \"exec_mode\": \"oneshot\"\r\n}", + "raw": "{\r\n \"name\": \"ip-learning-fqdn-relate-ip\",\r\n \"filter\": \"VSYS_ID in (1,2,3,4,5,6,7,8) AND PROTOCOL in ('SSL', 'HTTP','DNS') AND DEPTH = 1 and UNIQ_CIP > 1 AND FQDN_NAME in ('google.com', 'baidu.com') \",\r\n \"intervals\": [\"2023-01-01 00:00:00/2024-01-02 00:00:00\"],\r\n \"exec_mode\":\"oneshot\",\r\n \"limit\": \"100\"\r\n }", "options": { "raw": { "language": "json" @@ -8052,7 +5529,6 @@ "response": [] } ], - "description": "# Dashboard 业务\n\nDashboard 为预聚合计数操作,接入数据源有四处(KAFKA TOPIC):\n\n- TRAFFIC-METRICS-LOG : 功能端5秒输出一次\n- CONNECTION-RECORD-COMPLETE-LOG: 数据平台接收CONNECTION-RECORD-LOG 补全后实时输出。\n- PROXY/SECURITY-EVENT-COMPLETE-LOG: 数据平台接收PROXY/SECURITY 命中策略日志补全后实时输出。\n \n\n## 流量计数Metrics\n\n**功能端 - Kafka(TRAFFIC-METRICS-LOG 每5秒 ) - Druid**\n\n所有基础Metrics(非内容级别的统计)都为功能端提前预聚合输出到TRAFFIC-METRICS-LOG 中,最终数据平台写入Druid 中,供API查询。具体包含:\n\n- System Overview (Traffic 、New、Live)\n- Policy Hits by Action(Security)\n- Policy Hits by Action (proxy) 、Pinning\n \n\n## TOPN 计算\n\n**流程1:功能端 - Kafka(原始日志) - 补全 - Druid** // 统计安全策略与代理策略结果,每1分钟\n\n\\*_流程2:功能端 - Kafka(原始日志) - 补全 - Druid - 调度任务 - kafka -Druid \\*_ // TOPN 计算,每5分钟\n\n所有内容级别,为数据平台进行实时统计,将指标输出到Druid中,供API进行查询。具体包含:\n\n- Top Hits (security) - 流程1\n- Top Hits (proxy) - 流程1\n- Endpoints (Active Client/Server/Internal/External , Top Domains, Active Subscriber ID,Top urls) - 流程2", "event": [ { "listen": "prerequest", @@ -8340,7 +5816,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, shaping_rule_list, proxy_rule_list, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, security_mirrored_pkts, security_mirrored_bytes, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"blocking\",\n \"output_mode\":\"json\"\n\n}", + "raw": "{\n \"statement\" : \"SELECT recv_time, log_id, decoded_as, session_id, start_timestamp_ms, end_timestamp_ms, duration_ms, tcp_handshake_latency_ms, ingestion_time, processing_time, insert_time, device_id, out_link_id, in_link_id, device_tag, data_center, device_group, sled_ip, address_type, vsys_id, t_vsys_id, flags, flags_identify_info, security_rule_list, security_action, monitor_rule_list, sc_rule_list, sc_rsp_raw, sc_rsp_decrypted, shaping_rule_list, proxy_rule_list, proxy_action, proxy_pinning_status, proxy_intercept_status, proxy_passthrough_reason, proxy_client_side_latency_ms, proxy_server_side_latency_ms, proxy_client_side_version, proxy_server_side_version, proxy_cert_verify, proxy_intercept_error, monitor_mirrored_pkts, monitor_mirrored_bytes,ip_protocol, client_ip, client_port, client_os_desc, client_geolocation, client_asn, subscriber_id, imei, imsi, phone_number, apn, server_ip, server_port, server_os_desc, server_geolocation, server_asn, server_fqdn, server_domain, app_transition, app, app_debug_info, app_content, fqdn_category_list, decoded_path, dns_message_id, dns_qr, dns_opcode, dns_aa, dns_tc, dns_rd, dns_ra, dns_rcode, dns_qdcount, dns_ancount, dns_nscount, dns_arcount, dns_qname, dns_qtype, dns_qclass, dns_cname, dns_sub, dns_rr, dns_response_latency_ms, http_url, http_host, http_request_line, http_response_line, http_request_body, http_response_body, http_proxy_flag, http_sequence, http_cookie, http_referer, http_user_agent, http_request_content_length, http_request_content_type, http_response_content_length, http_response_content_type, http_set_cookie, http_version, http_status_code, http_response_latency_ms, http_session_duration_ms, http_action_file_size, ssl_version, ssl_sni, ssl_san, ssl_cn, ssl_handshake_latency_ms, ssl_ja3_hash, ssl_ja3s_hash, ssl_cert_issuer, ssl_cert_subject, ssl_esni_flag, ssl_ech_flag, dtls_cookie, dtls_version, dtls_sni, dtls_san, dtls_cn, dtls_handshake_latency_ms, dtls_ja3_fingerprint, dtls_ja3_hash, dtls_cert_issuer, dtls_cert_subject, mail_protocol_type, mail_account, mail_from_cmd, mail_to_cmd, mail_from, mail_password, mail_to, mail_cc, mail_bcc, mail_subject, mail_subject_charset, mail_attachment_name, mail_attachment_name_charset, mail_eml_file, ftp_account, ftp_url, ftp_link_type, quic_version, quic_sni, quic_user_agent, rdp_cookie, rdp_security_protocol, rdp_client_channels, rdp_keyboard_layout, rdp_client_version, rdp_client_name, rdp_client_product_id, rdp_desktop_width, rdp_desktop_height, rdp_requested_color_depth, rdp_certificate_type, rdp_certificate_count, rdp_certificate_permanent, rdp_encryption_level, rdp_encryption_method, ssh_version, ssh_auth_success, ssh_client_version, ssh_server_version, ssh_cipher_alg, ssh_mac_alg, ssh_compression_alg, ssh_kex_alg, ssh_host_key_alg, ssh_host_key, ssh_hassh, sip_call_id, sip_originator_description, sip_responder_description, sip_user_agent, sip_server, sip_originator_sdp_connect_ip, sip_originator_sdp_media_port, sip_originator_sdp_media_type, sip_originator_sdp_content, sip_responder_sdp_connect_ip, sip_responder_sdp_media_port, sip_responder_sdp_media_type, sip_responder_sdp_content, sip_duration_s, sip_bye, rtp_payload_type_c2s, rtp_payload_type_s2c, rtp_pcap_path, rtp_originator_dir, stratum_cryptocurrency, stratum_mining_pools, stratum_mining_program, stratum_mining_subscribe, bgp_message_type, bgp_messages, sent_pkts, received_pkts, sent_bytes, received_bytes, tcp_c2s_ip_fragments, tcp_s2c_ip_fragments, tcp_c2s_lost_bytes, tcp_s2c_lost_bytes, tcp_c2s_o3_pkts, tcp_s2c_o3_pkts, tcp_c2s_rtx_pkts, tcp_s2c_rtx_pkts, tcp_c2s_rtx_bytes, tcp_s2c_rtx_bytes, tcp_rtt_ms, tcp_client_isn, tcp_server_isn, packet_capture_file, in_src_mac, out_src_mac, in_dest_mac, out_dest_mac, tunnels, dup_traffic_flag, tunnel_endpoint_a_desc, tunnel_endpoint_b_desc FROM session_record AS session_record WHERE recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time < UNIX_TIMESTAMP('{{end_time}}') AND vsys_id IN (1) ORDER BY recv_time DESC LIMIT 20\" ,\n \"exec_mode\":\"blocking\",\n \"output_mode\":\"json\"\n\n}", "options": { "raw": { "language": "json" @@ -8399,7 +5875,7 @@ "header": [], "body": { "mode": "raw", - "raw": "{\n \"statement\" : \"select uniq(common_client_ip) as \\\"Client IPs\\\", uniq(common_server_ip) as \\\"Server IPs\\\",uniq(common_internal_ip) as \\\"Internal IPs\\\",uniq(common_external_ip) as \\\"External IPs\\\",uniq(http_domain) as \\\"Domains\\\",uniq(http_host) as \\\"Hosts\\\", uniq(ssl_sni) as \\\"SNIs\\\" from session_record where common_recv_time >= UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and common_recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = toDateTime('2022-07-19 00:00:00'))\n\t\tAND (common_recv_time < toDateTime('2022-07-20 00:00:00'))\n\tGROUP BY\n\t\tstat_time, common_app_label\n) group by common_app_label order by \"AVG Mbits / s\" desc", + "raw": "http://{{qgw_ip}}:{{qgw_port}}/v1/query/sql", "protocol": "http", "host": [ "{{qgw_ip}}" ], "port": "{{qgw_port}}", "path": [ - "" - ], - "query": [ - { - "key": "option", - "value": "long-term", - "disabled": true - }, - { - "key": "resultId", - "value": "129494", - "disabled": true - }, - { - "key": "query", - "value": "SELECT\n common_app_label,\t\n round(median(traffic_bytes) * 8 / 1000 / 1000 / 300,2) AS \"Medain Mbits/s\",\n\tround(avg(traffic_bytes) * 8 / 1000 / 1000 / 300,2) AS \"AVG Mbits / s\",\n\tround(QUANTILE(traffic_bytes, 0.95) * 8 / 1000 / 1000 / 300,2) as \"P95 Mbits / s\"\nFROM\n\t(\n\tSELECT\n\t common_app_label,\n\t\ttoDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),300) * 300) as stat_time,\n\t\tround(sum(common_c2s_byte_num + common_s2c_byte_num)/ uniq(common_server_ip),2) as traffic_bytes\n\tFROM\n\t\tsession_record as ss\n\tWHERE\n\t\t(common_recv_time >= toDateTime('2022-07-19 00:00:00'))\n\t\tAND (common_recv_time < toDateTime('2022-07-20 00:00:00'))\n\tGROUP BY\n\t\tstat_time, common_app_label\n) group by common_app_label order by \"AVG Mbits / s\" desc" - } + "v1", + "query", + "sql" ] } }, "response": [] + }, + { + "name": "HTTP URL Length Distribution", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "pm.test(\"Status code is 200\", function () {", + " pm.response.to.have.status(200);", + "});", + "" + ], + "type": "text/javascript" + } + }, + { + "listen": "prerequest", + "script": { + "exec": [ + "" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "followOriginalHttpMethod": false, + "followRedirects": false + }, + "request": { + "method": "POST", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"statement\" : \"select round(max(url_length),2) as max, round(QUANTILE(url_length,0.9999),2) as p9999, round(QUANTILE(url_length,0.99),2) as p99, round(QUANTILE(url_length,0.95),2) as p95, round(QUANTILE(url_length,0.90),2) as p90, round(median(url_length),2) as p50 from (select length(http_url) as url_length from session_record where recv_time >= UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = UNIX_TIMESTAMP('{{start_time}}') and recv_time = '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) group by TIME_FLOOR_WITH_FILL(UNIX_TIMESTAMP(__time),'PT30m') order by stat_time asc \",\n \"exec_mode\": \"oneshot\"\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "http://{{qgw_ip}}:{{qgw_port}}/v1/query/sql", + "protocol": "http", + "host": [ + "{{qgw_ip}}" + ], + "port": "{{qgw_port}}", + "path": [ + "v1", + "query", + "sql" + ] + }, + "description": "平均速率的两种计算方式。例如计算5分钟的平均速率:\n\n- sum(bytes)/5分钟:若5分钟内仅有30秒产生流量,产生结果将不准确\n- sum(bytes)/活跃时间 : 其中活跃时间=count(distinct(统计时间))\\* 预聚合粒度\n - 统计时间:time_floor(时间字段,'PT15S')\n - 预聚合粒度: 存储到时序数据库的统计粒度" + }, + "response": [] } ] }, @@ -13307,6 +10999,63 @@ } }, "response": [] + }, + { + "name": "Average usage analysis in druid", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "pm.test(\"Status code is 200\", function () {", + " pm.response.to.have.status(200);", + "});", + "" + ], + "type": "text/javascript" + } + }, + { + "listen": "prerequest", + "script": { + "exec": [ + "" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "followOriginalHttpMethod": false, + "followRedirects": false + }, + "request": { + "method": "POST", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"statement\" : \"select time_floor(__time,'PT30m') as stat_time, sum(in_bytes + out_bytes)*8/1800/1000/1000 as normal_rate_mbps, sum(in_bytes + out_bytes)/count(distinct(time_floor(__time,'PT15S')))*8/15/1000/1000 as usage_rate_mbps from traffic_general_stat where __time >= '{{start_time}}' and __time < '{{end_time}}' and vsys_id in (1) group by time_floor(__time,'PT30m') order by stat_time asc\" ,\n \"output_mode\":\"json\",\n \"exec_mode\":\"oneshot\"\n\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "http://{{qgw_ip}}:{{qgw_port}}/v1/query/sql", + "protocol": "http", + "host": [ + "{{qgw_ip}}" + ], + "port": "{{qgw_port}}", + "path": [ + "v1", + "query", + "sql" + ] + } + }, + "response": [] } ] }, @@ -13592,7 +11341,7 @@ "method": "GET", "header": [], "url": { - "raw": "http://{{qgw_ip}}:{{qgw_port}}/v1/troubleshooting/benchmark?test=sql_execution&category=session_record&is_saved=0", + "raw": "http://{{qgw_ip}}:{{qgw_port}}/v1/troubleshooting/benchmark?test=olap_sql_dataset&is_saved=0", "protocol": "http", "host": [ "{{qgw_ip}}" @@ -13606,11 +11355,7 @@ "query": [ { "key": "test", - "value": "sql_execution" - }, - { - "key": "category", - "value": "session_record" + "value": "olap_sql_dataset" }, { "key": "is_saved",