All Products
Search

This Product

    Web Application Firewall:DescribeNetworkFlowTopNMetric

    Document Center

    Web Application Firewall:DescribeNetworkFlowTopNMetric

    Last Updated:Mar 11, 2026

    Queries the top N statistics for all traffic that passes through Web Application Firewall (WAF), including malicious and normal service requests. The results are aggregated by different dimensions and sorted in descending order.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    yundun-waf:DescribeNetworkFlowTopNMetric

    get

    *All Resource

    *

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    InstanceId

    string

    Yes

    The ID of the WAF instance.

    Note

    You can call the DescribeInstance operation to query the ID of the WAF instance.

    waf_cdnsdf3****

    Filter

    object

    Yes

    The filter conditions for the query. If you specify multiple filter conditions, all conditions must be met (logical AND).

    DateRange

    object

    Yes

    The time range to query.

    StartDate

    integer

    Yes

    The beginning of the time range to query. This value is a UNIX timestamp. Unit: seconds. The time range cannot exceed the last 30 days.

    Note

    The start time must be later than 30 days before the current time.

    1713888000

    EndDate

    integer

    Yes

    The end of the time range to query. This value is a UNIX timestamp. Unit: seconds.

    1713888600

    Conditions

    array

    No

    The list of filter conditions.

    object

    No

    A single filter condition. A filter condition consists of a field name (Key), an operator (OpValue), and a filter value (Values). For more information about supported field names and operators, see the Additional information about request parameters section.

    Key

    string

    No

    The field name to use for filtering. Valid values:

    • matched_host

    • cluster

    matched_host

    OpValue

    string

    No

    The operator that is used for the filter condition. For more information about supported operators, see the Additional information about request parameters section.

    eq

    Values

    any

    No

    The value to use for the filter condition. The value format depends on the Key and OpValue that you specify.

    test.waf-top

    Limit

    integer

    Yes

    The maximum number of entries to return. Results are sorted in descending order. Maximum value: 10.

    10
    Metric

    string

    Yes

    The metric by which to query and rank data. Valid values:

    • real_client_ip: Returns the top N source IP addresses of requests that are sent to WAF. The data is aggregated by source IP address and sorted in descending order.

    • http_user_agent: Returns the top N user agents of requests that are sent to WAF. The data is aggregated by user agent and sorted in descending order.

    • request_path: Returns the top N request URLs. The data is aggregated by URL and sorted in descending order.

    • matched_host_by_total_requests: Returns the top N protected objects by total number of requests received.

    • matched_host_by_qps: Returns the top N protected objects by queries per second (QPS).

    • matched_host_by_status: Returns the top N protected objects based on a specific WAF-returned HTTP status code. The data is aggregated by protected object and sorted in descending order. If you set Metric to this value, you must specify the status field in the Conditions parameter of Filter. The format is as follows:
      {"Key":"status","OpValue":"eq","Values":"200"}

    • matched_host_by_upstream_status: Returns the top N protected objects based on a specific origin server-returned HTTP status code. The data is aggregated by protected object and sorted in descending order. If you set Metric to this value, you must specify the upstream_status field in the Conditions parameter of Filter. The format is as follows:
      {"Key":"upstream_status","OpValue":"eq","Values":"200"}

    matched_host_by_upstream_status
    RegionId

    string

    No

    The region in which the WAF instance resides. Valid values:

    • cn-hangzhou: the Chinese mainland.

    • ap-southeast-1: outside the Chinese mainland.

    cn-hangzhou

    ResourceManagerResourceGroupId

    string

    No

    The ID of the Alibaba Cloud resource group.

    rg-acfm***q

    Description of operators

    Operator Meaning Description
    all-not-match Does not equal any of the values The field value is not equal to any of the specified values. For example, to exclude requests from specific source IP addresses:
    {"Key":"real_client_ip","OpValue":"all-not-match","Values":["1.XX.XX.1","2.XX.XX.2","3.XX.XX.3"]}
    eq Equals The field value equals the specified string. For example, to query statistics for requests with the URL path "/testcase":
    {"Key":"request_path","OpValue":"eq","Values":"/testcase"}
    match-one Equals one of the values The field value equals one of the specified values. For example, to query statistics for requests from specific source IP addresses:
    {"Key":"real_client_ip","OpValue":"match-one","Values":["1.XX.XX.1","2.XX.XX.2","3.XX.XX.3"]}
    ne Does not equal The field value does not equal the specified string. For example, to exclude requests with the URL path "/testcase":
    {"Key":"request_path","OpValue":"ne","Values":"/testcase"}

    Supported keys for filter conditions

    Field name Field description Supported operators
    cluster The protection cluster. ne, eq,
    match-one,
    all-not-match
    matched_host The protected object. ne, eq,
    match-one,
    all-not-match

    Response elements

    Element

    Type

    Description

    Example

    object

    The response body. For more information about the format, see the Examples section.

    RequestId

    string

    The ID of the request.

    D827FCFE-90A7-4330-9326-******4C7726
    NetworkFlowTopNValues

    array<object>

    An array of the top N statistics.

    object

    A single entry in the top N ranking results.

    Name

    string

    The dimension value that corresponds to the specified Metric request parameter. For example, if the Metric is set to real_client_ip, this parameter indicates the source IP address.

    127.0.0.1
    Attribute

    string

    The additional attribute associated with the entry. For example, when the Metric is set to real_client_ip, this parameter indicates the country or region to which the IP address belongs.

    CN
    Value

    integer

    The total number of requests or the QPS value, depending on the specified Metric. This value is used for top N ranking.

    1123
    TopNMetaData

    object

    The metadata of the returned data.

    DateRange

    object

    The time range used for the query.

    StartDate

    integer

    The beginning of the time range. This value is a UNIX timestamp. Unit: seconds.

    1713888000

    EndDate

    integer

    The end of the time range. This value is a UNIX timestamp. Unit: seconds.

    1713888600

    Units

    string

    The unit of the returned statistical data.

    requests

    Examples

    Success response

    JSON format

    {
  "RequestId": "D827FCFE-90A7-4330-9326-******4C7726",
  "NetworkFlowTopNValues": [
    {
      "Name": "127.0.0.1",
      "Attribute": " CN",
      "Value": 1123
    }
  ],
  "TopNMetaData": {
    "DateRange": {
      "StartDate": 1713888000,
      "EndDate": 1713888600
    },
    "Units": "requests\n"
  }
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 Waf.Report.%s Invalid parameter:%s. Invalid parameter:%s
    400 Waf.Report.InternalError Server error occurred in report service. Report Service Internal Error

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.