注意:
查找时请选择对应的时间区间
limit 如果不写默认是100
参考WAF字段(其它产品同理,可以到产品对应的官网帮助文档查找SLS服务字段解释):https://help.aliyun.com/document_detail/95492.html
查询QPS峰值:
host:example.com|select COUNT(*) as c ,date_trunc('second', __time__) as s GROUP by s order by c desc limit 1
入带宽:
host:example.com| select date_format(from_unixtime(__time__ - __time__% 600), '%H:%i') as dt, round(sum(request_length)/1024.0/600, 2) as "流入流量(KB/s)", round(sum(if((block_action <> ''), request_length, 0))/1024.0/600, 2) as "攻击流量(KB/s)" group by __time__ - __time__% 600 order by dt limit 10000
出带宽:
host:example.com| select date_format(from_unixtime(__time__ - __time__% 600), '%H:%i') as dt, round(sum(body_bytes_sent)/1024.0/600, 2) as "流出流量(KB/s)", round(sum(if((block_action <> ''), body_bytes_sent, 0))/1024.0/600, 2) as "被攻击流量(KB/s)" group by __time__ - __time__% 600 order by dt limit 10000
查询访问IP TOP 10:
host:example.com|SELECT real_client_ip,COUNT(*) as c group by real_client_ip order by c desc limit 10
查询访问URL TOP 10:
host:example.com|SELECT request_path,COUNT(*) as c group by request_path order by c desc limit 10
查询某个IP访问的URL(CC攻击时被攻击的接口比较集中):
host:example.comand real_client_ip:1.2.3.4 |SELECT request_path,COUNT(*) as c group by request_path order by c desc limit 10
查询某个接口访问TOP 10 IP(有攻击时恶意IP排行靠前):
host:example.comand request_path:/login.php |SELECT real_client_ip,COUNT(*) as c group by real_client_ip order by c desc limit 10
最近10分钟每分钟的访问量,按时间降序:
host:example.com|select COUNT(*) as c ,date_trunc('minute', __time__) as minute GROUP by s order by minute desc limit 10
状态码(通过异常状态码确认业务是否正常):
host:example.com|select status, upstream_status,COUNT(*) as c GROUP by status, upstream_status order by c desc limit 10
IP命中的策略(查询拦截原因):
host:example.comand real_client_ip:1.2.3.4 |select antibot,antibot_rule,COUNT(*) as c GROUP by antibot,antibot_rule order by c desc limit 10
指定策略命中情况(观察策略效果、命中率):
host:example.comand antibot_rule:1234 |select real_client_ip,COUNT(*) as c GROUP by real_client_ip order by c desc limit 10
SDK验签情况:
host:example.com|select wxbb_invalid_wua,COUNT(*) as c GROUP by wxbb_invalid_wua order by c desc limit 10
策略分布情况:哪些模块命中的
host:example.com |select block_action,COUNT(*) as c group by block_action order by c desc limit 100
查找IP被命中的模块
host:example.com and real_client_ip:1.1.1.1 | select block_action,COUNT(*) as c group by block_action order by c desc limit 10
查找哪些IP被“Web应用攻击防护”命中
host:example.com and block_action:waf |select real_client_ip,COUNT(*) as c group by real_client_ip order by c desc limit 10
如果IP被“web应用攻击防护”模块命中,如何查找对应的规则ID 、以及处置动作
host:example.com and block_action:waf and real_client_ip:1.1.1.1 |select waf_rule_id,waf_action,COUNT(*) as c group by waf_rule_id,waf_action order by c desc limit 10
如何查找哪些IP被“CC”命中
host:example.com and block_action:tmd |select real_client_ip,COUNT(*) as c group by real_client_ip order by c desc limit 10
如果IP被“CC”模块命中,如何查找对应的规则ID 、以及处置动作
host:example.com and block_action:tmd and real_client_ip:1.1.1.1 |select cc_phase,cc_action,COUNT(*) as c group by cc_phase,cc_action order by c desc limit 10
查询近10分钟内每分钟的访问请求量(按时间降序排列),升序可以将desc替换为asc
host:example.com |SELECT COUNT(*) as c,date_trunc('minute', time) as minute GROUP by s order by minute desc limit 10
