After you enable Anti-Bot Service for a domain name, you can run statements to query and analyze requests sent to the domain, and logs about attack and defense events. This topic provides the commonly used statements for log query and analytics. You can write statements to query log data based on your actual needs.

Note You can change the value of limit to specify the number of entries to be returned. For example, limit 10 indicates that 10 log entries is returned. If you do not specify the value of limit, the system returns the first 100 entries.

Query information about access requests to a website

  • Query inbound traffic
    host:example.com | SELECT
    date_format(from_unixtime(__time__ - __time__% 600), '%H:%i') as dt,
    round(sum(request_length)/1024.0/600, 2) as "inbound traffic (KB/s)", round(sum(if((block_action <> ''),
    request_length, 0))/1024.0/600, 2) as "attack traffic (KB/s)"
    group by __time__ - __time__% 600 order by dt limit 10000
  • Query outbound traffic
    host:example.com | SELECT
    date_format(from_unixtime(__time__ - __time__% 600), '%H:%i') as dt,
    round(sum(body_bytes_sent)/1024.0/600, 2) as "outbound traffic (KB/s)", round(sum(if((block_action <> ''),
    body_bytes_sent, 0))/1024.0/600, 2) as "attack traffic (KB/s)"
    group by __time__ - __time__% 600 order by dt limit 10000
  • Query peak request rate
    host:example.com |SELECT COUNT(*) as c,date_trunc('second', __time__) as s GROUP by s 
    order by c  desc limit 1
  • Query the number of requests per minute in the last 10 minutes (in descending order by time)
    host:example.com |SELECT COUNT(*) as c,date_trunc('minute', __time__) as minute GROUP by s  order by minute desc limit 10
  • Query the top 10 client IP addresses that visit the website most frequently
    host:example.com |SELECT real_client_ip,COUNT(*) as c group by real_client_ip order by c desc limit 10
  • Query the top 10 most visited URLs
    host:example.com |SELECT request_path,COUNT(*) as c group by request_path order by c desc limit 10
  • Query HTTP status codes
    Note HTTP status codes help you determine whether your website services run properly.
    host:example.com |SELECT status, upstream_status,COUNT(*) as c GROUP by status, upstream_status order by c desc limit 10

Query information about website protection

  • Query the top 10 client IP addresses that visit a specified URL or endpoint most frequently
    Note Malicious IP addresses are typically highly ranked when attackers start attacks to your website from these IP addresses.
    host:example.com and request_path:/login.php |SELECT real_client_ip,COUNT(*) as c group by real_client_ip order by c desc
    limit 10
  • Query URLs visited by a specified IP address
    Note Malicious IP addresses that start HTTP flood attacks typically target certain URLs or endpoints.
    host:example.com and real_client_ip:1.2.3.4 |SELECT request_path,COUNT(*) as c group by request_path order by c desc limit
    10
  • Query IDs of protection policies that are hit by requests from specified client IP addresses
    host:example.com and real_client_ip:1.2.3.4 |SELECT antibot,antibot_rule,COUNT(*) as c GROUP by antibot,antibot_rule  order by c desc limit 10
  • Query whether specified protection policies are hit
    Note You can study the protection effects and hit rate of the protection policies based on the query results.
    host:example.com and antibot_rule:1234 |SELECT real_client_ip,COUNT(*) as c GROUP by real_client_ip order by c
    desc limit 10
  • Query the signature authentication status of the SDK that is used to enhance protection
    host:taobao.com |SELECT wxbb_invalid_wua,COUNT(*) as c GROUP by wxbb_invalid_wua order by c desc limit 10