全部产品
Search
文档中心

Web 应用防火墙:查询与分析语句

更新时间:Aug 25, 2023

本文介绍了使用WAF日志服务配置常用业务指标监控及告警时,用到的日志查询与分析语句。

request_time_msec

指标释义:表示客户端从发起请求到获得返回结果的请求耗时。

* |
SELECT
  user_id,
  host,
  round(
    round(request_time_cnt * 1.0000 / countall, 4) * 100,
    2
  ) AS percent
FROM  (
    SELECT
      user_id,
      host,
      count_if(request_time_msec > 500) AS request_time_cnt,
      COUNT(*) AS countall
    FROM      log
    GROUP BY
      user_id,
      host
  )
GROUP BY
  user_id,
  host,
  percent

upstream_response_time

指标释义:表示WAF转发客户端请求到源站服务器,源站返回数据的响应时间。

* |
SELECT
  user_id,
  host,
  round(
    round(
      upstream_response_time_cnt * 1.0000 / countall,
      4
    ) * 100,
    2
  ) AS percent
FROM  (
    SELECT
      user_id,
      host,
      count_if(upstream_response_time > 500) AS upstream_response_time_cnt,
      COUNT(*) AS countall
    FROM      log
    GROUP BY
      user_id,
      host
  )
GROUP BY
  user_id,
  host,
  percent

status:200

指标释义:表示服务器已成功处理请求,返回了被请求的数据。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM  (
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_200 DESC
LIMIT
  5

status:302 or 200 and final_plugin:'cc'

指标释义:表示请求触发了WAF的JavaScript人机校验策略。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM  (
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(
            status = 200
            AND final_plugin = 'cc'
          ) AS status_200,
          count_if(
            status = 302
            AND final_plugin = 'cc'
          ) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) as status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_200 DESC
LIMIT
  5

status:200 and final_plugin:'antifraud'

指标释义:表示请求被WAF的数据风控规则拦截。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM  (
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(
            status = 200
            AND final_plugin = 'antifraud'
          ) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_200 DESC
LIMIT
  5

status:404

指标释义:表示服务器找不到被请求的资源。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM  (
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_404 DESC
LIMIT
  5

status:405 and waf_action:'block'

指标释义:表示请求被WAF的规则防护引擎拦截。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(
            status = 405
            and waf_action = 'block'
          ) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_405 DESC
LIMIT
  5

status:405 and final_plugin:'acl'

指标释义:表示请求被WAF的黑名单及自定义防护策略(ACL访问控制)规则拦截。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(
            status = 405
            and final_plugin = 'acl'
          ) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_405 DESC
LIMIT
  5

status:444

指标释义:表示请求被WAF的CC安全防护规则拦截。

* |
select
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_444 DESC
LIMIT
  5

status:499

指标释义:表示服务器超时未返回客户端请求的数据,客户端主动断链。服务器返回给客户端499状态码。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_499 DESC
LIMIT
  5

status:500

指标释义:服务器内部错误(Internal Server Error),表示服务器无法完成请求。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_500 DESC
LIMIT
  5

status:502

指标释义:错误网关(Bad Gateway),表示服务器作为网关或代理,从上游服务器收到无效响应。一般由于回源网络质量变差、回源链路有访问控制策略拦截回源请求等,导致源站无响应。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_502 DESC
LIMIT
  5

status:503

指标释义:服务不可用(Service Unavailable),表示由于超载或停机维护,服务器目前无法使用。

* |
SELECT
  user_id,
  host as "域名",
  Rate_200 as "200比例",
  Rate_302 as "302比例",
  Rate_404 as "404比例",
  Rate_405 as "405比例",
  Rate_444 as "444比例",
  Rate_499 as "499比例",
  Rate_500 as "500比例",
  Rate_502 as "502比例",
  Rate_503 as "503比例",
  Rate_504 as "504比例",
  countall / 60 as "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) as Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) as status_200,
          count_if(status = 302) as status_302,
          count_if(status = 404) as status_404,
          count_if(status = 405) as status_405,
          count_if(status = 444) as status_444,
          count_if(status = 499) as status_499,
          count_if(status = 500) as status_500,
          count_if(status = 502) as status_502,
          count_if(status = 503) as status_503,
          count_if(status = 504) as status_504,
          COUNT(*) as countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_503 DESC
LIMIT
  5

status:504

指标释义:网关超时(Gateway Timeout),表示服务器作为网关或代理,没有及时从上游服务器收到请求。

* |
SELECT
  user_id,
  host AS "域名",
  Rate_200 AS "200比例",
  Rate_302 AS "302比例",
  Rate_404 AS "404比例",
  Rate_405 AS "405比例",
  Rate_444 AS "444比例",
  Rate_499 AS "499比例",
  Rate_500 AS "500比例",
  Rate_502 AS "502比例",
  Rate_503 AS "503比例",
  Rate_504 AS "504比例",
  countall / 60 AS "aveQPS",
  status_200,
  status_302,
  status_404,
  status_405,
  status_444,
  status_499,
  status_500,
  status_502,
  status_503,
  status_504,
  countall
FROM(
    SELECT
      user_id,
      host,
      round(
        round(status_200 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_200,
      round(
        round(status_302 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_302,
      round(
        round (status_404 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_404,
      round(
        round (status_405 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_405,
      round(
        round (status_444 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_444,
      round(
        round (status_499 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_499,
      round(
        round(status_500 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_500,
      round(
        round(status_502 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_502,
      round(
        round(status_503 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_503,
      round(
        round(status_504 * 1.0000 / countall, 4) * 100,
        2
      ) AS Rate_504,
      status_200,
      status_302,
      status_404,
      status_405,
      status_444,
      status_499,
      status_500,
      status_502,
      status_503,
      status_504,
      countall
    FROM      (
        SELECT
          user_id,
          host,
          count_if(status = 200) AS status_200,
          count_if(status = 302) AS status_302,
          count_if(status = 404) AS status_404,
          count_if(status = 405) AS status_405,
          count_if(status = 444) AS status_444,
          count_if(status = 499) AS status_499,
          count_if(status = 500) AS status_500,
          count_if(status = 502) AS status_502,
          count_if(status = 503) AS status_503,
          count_if(status = 504) AS status_504,
          COUNT(*) AS countall
        FROM          log
        GROUP BY
          user_id,
          host
      )
  )
WHERE
  countall > 120
ORDER BY
  Rate_504 DESC
LIMIT
  5