Network Intelligence Service:Data source management

Add an existing data source

If you have an existing data source, such as a VPC flow log or TR flow log, you can add it directly to NIS Traffic Analyzer.

1. Go to the details page of the target NIS Traffic Analyzer. On the Basic Information > VPC flow log tab, click Add data source.

2. On the Add data source page, click the VPC flow log or TR flow log tab. Select the Region where the flow log is located, select the checkbox next to the target flow log, and then click OK.

   The sampling interval of a new data source must be less than or equal to the sampling interval of the current NIS Traffic Analyzer.

Create and add a new data source

If you do not have a VPC flow log or TR flow log, you can create one on the data source page and add it to NIS Traffic Analyzer.

1. Go to the details page of the target NIS Traffic Analyzer. On the Basic Information > VPC flow log tab, click Add data source.

2. On the Add data source page, click the tab for the data source that you want to create:

   VPC flow log

   1. Click Create flow log and configure the Collection Settings parameters in the dialog box:

      Important

      The sampling interval of a new data source must be less than or equal to the sampling interval of the current NIS Traffic Analyzer.

      Parameter

      Region: Select the region of the resource to monitor. Resource Type and Resource Instance: Set the collection granularity to VPC, vSwitch, or ENI. If you select a VPC or vSwitch, the system monitors the traffic of all ENIs within the selected resource. Data Transfer Type: Select the type of traffic to capture: traffic that is allowed or rejected by access control rules, such as security group and network ACL rules. IP Version: Select IPv4 to capture only IPv4 traffic, or select Dual-stack to capture both IPv4 and IPv6 traffic. The following regions support IPv6: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia). Sampling Interval (Minutes): The capture window for aggregating traffic information. You can set the interval to 1, 5, or 10 minutes. A shorter interval generates flow logs more frequently, which helps you identify and troubleshoot issues faster. A longer interval provides less timely data but reduces the number of log entries and helps save costs. For example, for a TCP session that maintains a persistent connection, a 1-minute window produces 60 log entries per hour, while a 10-minute window produces only 6. If multiple flow log instances in a VPC collect traffic from the same ENI, the shortest sampling interval among all instances becomes the actual capture period. Sampling Path: You can select specific collection scenarios to reduce usage costs. Before you make a selection, you must deselect the default All Scenarios option. You can select traffic that passes through the following components: IPv4 gateways, NAT Gateway, VPN Gateway, Transit Router (TR), gateway endpoints, virtual border router (VBR), Express Connect Router (ECR), Gateway Load Balancer (GWLB) endpoints, and traffic to the internet.

   2. After the flow log is created, the system automatically adds it to NIS Traffic Analyzer.

   TR flow log

   1. Click Create flow log. In the Create flow log dialog box:

      Parameter

      First, configure Collection Settings: CEN: Select the Cloud Enterprise Network (CEN) where the target Transit Router is deployed. Transit Router: Select the target Transit Router (TR). Instance: Specifies the resource to monitor. The direction of traffic collection depends on the resource type: For an Inter-region Connection, only one-way outbound traffic from the TR is collected. For a VBR Connection, VPC Connection, VPN Connections, or ECR Connection, both inbound and outbound traffic are collected. If you select TR, traffic is collected for all network instance connections on the TR, including inter-region, VBR, VPC, VPN, and ECR connections. The collection direction for each connection type is the same as described above. Sampling Interval: The time window for aggregating traffic into flow log records. You can select 1 minute, 5 minutes, or 10 minutes. A shorter window generates flow logs more frequently, which helps you detect and troubleshoot issues faster. A longer window reduces timeliness but also decreases the number of log entries to save costs. Important The sampling interval of a new data source must be less than or equal to the sampling interval of the current NIS Traffic Analyzer. Configure Analysis and Delivery > Log Format: Default Format: Uses the default set of log fields. Custom Format: Allows you to select specific fields to include in the log. This option supports more fields than the default format. Selecting fewer fields can simplify log data and reduce costs. The srcaddr, dstaddr, and bytes fields are required. After you select a log format, the system generates a string representation of the format. Click Copy selected format to reuse this format when you call an API to create flow logs in bulk. After you confirm the settings, click OK.

   2. After the flow log is created, click Deliver to Traffic Analyzer to start analyzing TR traffic.

Remove a data source

In the Remove Data Source column for the target data source, click Remove Data Source.

This operation only disassociates the data source from NIS Traffic Analyzer. It does not delete the analysis data that is already stored in the analyzer, nor does it delete the flow log collection task. To delete the collection task, see Delete a VPC flow log and Delete a TR flow log.