All Products
Search

This Product

    Network Intelligence Service:Data source management

    Document Center

    Network Intelligence Service:Data source management

    Last Updated:Sep 20, 2025

    After you create an NIS Traffic Analyzer instance, you must add a data source to analyze its traffic. NIS Traffic Analyzer supports two types of data sources: VPC flow logs and transit router (TR) flow logs.

    Add an existing data source

    You can add existing data sources directly to NIS Traffic Analyzer.

    Important

    When you add a flow log as a data source to NIS Traffic Analyzer, you will incur processing fees and storage fees. For more information, see Billing of NIS Traffic Analyzer.

    1. Go to the product page of the target NIS Traffic Analyzer instance. On the Basic Information > VPC Flow Log tab, click Add Data Source.

    2. On the Add Data Source page, click the tab for the data source that you want to add:

      VPC Flow Log

      Select the target flow log and click OK.

      Important

      The sampling interval of the new flow log must be less than or equal to the sampling interval configured for the NIS Traffic Analyzer instance.

      Transit Router Flow Log

      Select the target flow log and click OK.

      Important

      The sampling interval of the new flow log must be less than or equal to the sampling interval configured for the NIS Traffic Analyzer instance.

    Create and add a new data source

    If you have not created a VPC or TR flow log, you can create one on the data source page and then add it to NIS Traffic Analyzer.

    Important

    1. Go to the product page of the target NIS Traffic Analyzer instance. On the Basic Information > VPC Flow Log tab, click Add Data Source.

    2. On the Add Data Source page, click the tab for the data source that you want to add:

      VPC Flow Log

      1. Click Create Flow Log. In the dialog box that appears, set the Collection Configuration parameters:

        Important

        The sampling interval of the new flow log must be less than or equal to the sampling interval configured for the NIS Traffic Analyzer instance.

        1. Region: Select the region of the resource you want to monitor.

        2. Resource Type and Resource Instance: You can set the collection granularity to Elastic Network Interface (ENI), vSwitch, or VPC. If you select VPC or vSwitch, the system monitors the traffic of all ENIs within the selected resource.

        3. Traffic Type: Select whether to capture traffic that is allowed or rejected by access control rules, such as security group rules and network ACL rules.

        4. IP Version: You can select IPv4 to capture only IPv4 traffic, or Dual-stack to capture both IPv4 and IPv6 traffic. The following regions support IPv6: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia).

        5. Sampling Interval (Minutes): The duration of the capture window for aggregating traffic information. You can set the interval to 1, 5, or 10 minutes. A shorter interval generates flow logs more frequently, which helps you discover and locate issues faster. A longer interval provides less timely data but reduces the number of log entries and saves costs.

          For example, for a TCP session that maintains a persistent connection, a 1-minute window produces 60 log records per hour, while a 10-minute window produces only 6 log records.

          If multiple flow log instances in a VPC collect traffic from the same ENI, the shortest sampling interval among all instances is used as the actual capture window.

        6. Sampling Path: You can select specific collection scenarios to reduce usage costs. To do this, first deselect the default All Scenarios option.

          You can select traffic that passes through the following network elements: IPv4 gateway, NAT Gateway, VPN Gateway, transit router (TR), gateway endpoint, virtual border router (VBR), Express Connect Router (ECR), and Gateway Load Balancer (GWLB) endpoint.

      2. Select the target flow log and click OK.

      Transit Router Flow Log

      1. Click Create Flow Log. In the Create Flow Log dialog box:

        1. First, set the Collection Configuration parameters:

          • CEN: Select the Cloud Enterprise Network (CEN) that contains the target transit router.

          • TransitRouter: Select the target transit router.

          • Instance: Select the resource from which to collect traffic.

            • If you select Inter-region Connection, only unidirectional traffic that flows out of the transit router is collected.

            • If you select VBR Connection, VPC Connection, VPN Connection, or ECR Connection, bidirectional traffic that flows into and out of the transit router is collected.

            • If you select TR, traffic is collected from all network instance connections on the transit router. This includes inter-region connections, VBR connections, VPC connections, VPN connections, and ECR connections. The collection direction for each resource type is the same as described in the preceding items.

          • Sampling Interval: The interval at which traffic information is aggregated into a flow log. You can select 1, 5, or 10 minutes. A smaller interval provides more timely data, which helps you discover and resolve issues faster. A larger interval is less timely but generates fewer log entries, which helps reduce costs. For example, for a persistent TCP session, a 1-minute interval generates 60 log entries per hour, whereas a 10-minute interval generates only 6.

            Important

            The sampling interval of the new flow log must be less than or equal to the sampling interval configured for the NIS Traffic Analyzer instance.

        2. Then, set the Analysis And Delivery Configuration > Log Format parameters:

          • Default Format: Collects all fields.

          • Custom Format: Collects only the fields that you select. The `srcaddr`, `dstaddr`, and `bytes` fields are required. Selecting fewer fields simplifies the log information and reduces costs.

            After you select a log format, the system automatically generates a log format string. You can click the Copy Selected Format button to create multiple flow logs with the same format in a batch operation by calling an API.

        3. After you confirm the settings, click OK.

      2. After the flow log is created, on the Add Data Source page, click the Transit Router Flow Log tab. Select the flow log that you just created and click OK.

    Remove a data source

    In the Actions column of the target data source, click Remove.

    This operation removes the data source only from NIS Traffic Analyzer. This operation does not delete the traffic analysis data that is already stored in NIS Traffic Analyzer or the flow log collection task that corresponds to the data source. To delete the collection task, see Delete a VPC flow log and Delete a TR flow log.