After you enable the mitigation analysis feature, you can query and analyze mitigation logs that record the events of an Anti-DDoS Origin instance. The events include traffic scrubbing, blackhole filtering, and traffic rerouting.

Prerequisites

The mitigation analysis feature is enabled. For more information, see Enable mitigation analysis.

Query and analyze mitigation logs

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Analysis (Beta).
  3. In the top navigation bar, select the resource group and region of your instance.
  4. On the Mitigation Analysis (Beta) page, select an Anti-DDoS Origin instance.
    Note To query the mitigation logs, you must turn on Status for the mitigation analysis feature. For information about how to enable the feature, see Enable mitigation analysis.
    Mitigation logs
  5. Enter a query statement in the input field.
    A query statement consists of a search statement and an analytic statement in the format of Search statement|Analytic statement. For more information, see Search syntax and SQL syntax.
  6. In the upper-right corner of the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
    You can select a relative time or a time frame. You can also specify a custom time range.
    Note The query results contain reports that are generated 1 minute earlier or later than the specified time range.
  7. Click Search & Analyze to view the query and analysis results.

Manage query and analysis results

Log Service displays query and analysis results in a log distribution histogram, on the Raw Logs tab, and on the Graph tab. Log Service allows you to perform operations on the results. For example, you can configure alerts and create saved searches.
Note When you execute a query statement, only 100 lines of data is returned by default. You can use a LIMIT clause to specify the number of lines that can be returned. For more information, see LIMIT clause.
  • Log distribution histogram
    The log distribution histogram shows the distribution of returned logs in different periods of time. Log distribution histogram
    • When you move the pointer over a green rectangle, you can view the period of time that is represented by the rectangle and the number of returned logs within the period.
    • If you click a green rectangle, you can view log distribution at a finer-grained level. In addition, you can view the returned logs within the period of time on the Raw Logs tab.
  • Raw Logs tab
    The Raw Logs tab displays the logs that are queried. You can click the Table or Raw Data tab to view the logs and perform the following operations: Raw Logs tab
    • Quick Analysis: You can analyze the distribution of a field within a period of time. For more information, see Quick analysis.
      You can click the Alias icon to specify whether to show the names or aliases of fields. You can create aliases when you configure indexes. For example, if the alias of host_name is host, host is displayed in the Quick Analysis list after you select Show Field Aliases.
      Note If a field does not have an alias, the name of the field is displayed in the Quick Analysis list even if you select Show Field Aliases.
    • Context query: On the Raw Data tab, you can find a log and click the Query Logs - 004 icon to query the context information about the log in the raw log file. For more information, see Context query.
      Note You can perform context query only on the logs that are collected by Logtail.
    • LiveTail: On the Raw Data tab, you can find a log and click the LiveTail icon to monitor logs in real time and extract important information from the logs. For more information, see LiveTail.
      Note You can use LiveTail only on the logs that are collected by Logtail.
    • Tag Configurations: On the Raw Data tab, you can click the Settings icon and select Tag Configurations to hide less important fields. Tag
    • Column Settings: On the Table tab, you can click the Settings icon and select Column Settings to specify the columns that you want to display in the table. The column names are field names, and the column content is field values. Column Settings
    • JSON Configurations: On the Table or Raw Data tab, you can click the Settings icon and select JSON Configurations to specify the level for JSON expansion.
    • Event Settings: On the Table or Raw Data tab, you can click the Settings icon and select Event Settings to configure events for raw logs. For more information, see Configure events.
    • Log Download: On the Table or Raw Data tab, you can click the Log Download icon to download logs. You can specify the tool that is used to download logs and the range of logs to download. For more information, see Download logs.
  • Graph tab
    After you execute a query statement, you can view the query and analysis results on the Graph tab.
    • View query and analysis results: Log Service renders the results of the query statement to charts. Log Service provides various types of charts, such as tables, line charts, and column charts. For more information, see Chart overview.
    • Add a chart to a dashboard: Log Service provides dashboards on which you can analyze data in real time. You can click Add to New Dashboard to save the query and analysis results as a chart to a dashboard. For more information, see Visualization overview.
    • Configure interactive events: Interactive events are important for data analysis. You can use interactive events to switch between the levels of data dimensions and the analysis granularities to obtain more detailed information. Interactive events include events to open a Logstore, open quick analysis, open a dashboard, open trace analysis, open trace details, and customize an HTTP link. For more information, see Configure a drill-down event.
  • LogReduce tab

    On the LogReduce tab, you can click Enable LogReduce to cluster similar logs during log collection. For more information, see LogReduce.

  • Alerting

    On the query and analysis page, you can choose Save as Alert > New Alert to configure alerts based on the query and analysis results. For more information, see Configure an alert in Log Service.

  • Saved search

    On the query and analysis page, you can click Save Search to save a query statement as a saved search. For more information, see Saved search.