Searching for requests

You can use the web interface to view a list of individual requests that have been tagged with signals and that fit into the all or sampled data storage category. This guide describes the different search functionality and search syntax you can use to narrow this list.

Filtering

You can use filters to find requests that meet specific criteria. Selected values auto-populate in the search bar where you can further modify the query.

  1. Next-Gen WAF control panel
  2. Fastly control panel

Filter options on the Requests page include:

  • Time: filters the requests list based on when the requests were sent. For example, when 2 hours is selected, only requests that were made in the last two hours appear on the page.
  • Attack signals: filters the requests list based on the attack signals that requests are tagged with. For example, when Attack Tooling is selected, only requests tagged with the Attack Tooling signal appear on the page.
  • Anomaly signals: filters the requests list based on the anomaly signals that requests are tagged with. For example, when Address Changed is selected, only requests tagged with the Address Changed signal appear on the page.
  • Response codes: filters the requests list based on the response codes associated with requests. For example, when 404 is selected, only requests with a 404 response code appear on the page.

You can enter free-text and explicit queries into the search bar to find requests that meet specific criteria. Explicit queries follow the <key><operator><value> syntax, where:

  • the key is the field to search upon.
  • the operator defines the relationship of the key to the value.
  • the value is the specific value used to filter the requests list.

Example free-text and explicit queries are as follows:

Free-text queryExplicit queryDescription
/a/path/here sqli -7hpath:/a/path/here sqli from:-7hShow all SQLI in last 7 hours with this particular path
RUcountry:ruAll recent requests from Russia
cn 500country:cn httpcode:500All recent requests from China that had a 500 error
404 233.252.0.23httpcode:404 ip:233.252.0.23Recent requests from an IP that had a 404 error

Keys

The keys that you can search on are as follows:

NameTypeDescription
agentstringFor Core WAF deployments, the agent is the server hostname (or alias) for the agent (agent:~hostname, agent:~appname, agent:hostname.appname, or agent:hostname-appname). For Edge WAF deployments, the agent is the domain or server hostname the request is trying to access (e.g., agent:www.example.com).
agentcodeintegerThe agents internal response code
bytesoutintegerHTTP response size in bytes
countrystringRequest estimated country of origin (e.g., US, RU)
fromtimeFilter output with requests since a particular date
httpcodeintegerThe response's http response code
ipstringSingle IPv4 (ip:198.51.100.128)
Single IPv6 (ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225)
IPv4 CIDR (ip:198.51.100.0/24)
IPv6 CIDR (ip:2001:0db8:1681:f16f::/64)
IPv4 range (ip:198.51.100.0..198.51.100.255)
IPv6 range (ip:2001:0db8:1681:f16f:: through 2001:0db8:1681:f16f:ffff:ffff:ffff:ffff)
ja3stringJA3 fingerprint
methodstringHTTP Method (e.g., GET, POST)
pathstringRequest URL path, does not include query parameters
payloadstringThe data that triggered a signal (i.e., the attack value)
protocolstringHTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0
ratelimitedstringRequests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal>. You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for.
responsemillisintegerHTTP response time in milliseconds
remotehoststringRemote hostname (remotehost:www.example.com) or subdomain match (remotehost:~example.com)
serverstringRequested server name in the http request (e.g., example.com if http://example.com/name)
tagstringA particular signal on a request (e.g., SQLI, XSS)
targetstringServer + Path
sortstringSort with time-asc (oldest first) or time-desc (most recent first)
untiltimeFilter output with request before a particular date
useragentstringThe request's user agent (browser)

Operators

When using operators, keep in mind the following:

  • All values below can be quoted to allow for spaces.
  • Adding - (minus) before any key negates the operation.
  • Different key names function as an AND operator (from:-1h path:/foo).
  • Multiple keys with the same name function as an OR operator (path:/foo path:/bar should return paths matching either /foo or /bar).

Supported operators include:

OperatorMeaning
key:valueequals
key:=valueequals, alternate syntax
-key:valuenot equals, general negation of all operators
key:!=valuenot equals, alternate syntax
key:>valuegreater-than, integers only
key:>=valueequals or greater-than, integers only
key:<valueless-than, integers only
key:<=valueequals or less-than, integers only
key:value1..value2in range between value1 and value2, integers only. For time see from and until
key:~valuesearch on the field with the terms provided

Time

Time ranges can be specified in a number of ways using the from and until keys.

Queries on the Requests page are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to find results from 2 weeks ago, your query would need to use from:-21d until:-14d, which would be a 7 day window. A query of just from:-21d would not yield any results as that would be a 21 day window.

Relative time

SuffixMeaning
-5s5 seconds ago (from now)
-5min5 minutes ago
-5h5 hours ago
-5d5 days ago
-5w5 weeks ago
-5mon5 months ago
-5y5 year ago

Example:

  • from:-5h (until now)
  • from:-5h until:-4h (one hour range)

Absolute time

Absolute time is also allowed using

  • Unix UTC Seconds Since Epoch
  • Java/JavaScript UTC Milliseconds since Epoch
  • ISO Date format YYYYMMDD

Example Absolute Time: Unix UTC Seconds

  • from:141384000 (until now)
  • from:141384000 until:1413844691

Example Absolute Time: Java/JavaScript Milliseconds UTC

  • from:141384000000 (until now)
  • from:141384000000 until:1413844691000

Example Absolute Date: YYYYMMDD

  • from:20141031 (until now)
  • from:20141031 until:20141225

You can also mix and match time formats:

  • from:20141031 until:-1h

Query builder

IMPORTANT

The Query builder is only available in the Fastly control panel, not the Next-Gen WAF control panel.

The Query builder lets you filter for requests with a specific combination of tags (e.g. NOUA) and HTTP status codes (e.g. 404, 500).

To filter results using the Query builder:

  1. Use the Time menu to specify a time range for when requests were sent.

  2. Click Query builder.

  3. From the Tag and HTTP Code tabs, select the combinations of tags and codes you want to filter on. Your selections are populated in the search bar.

    Click Select All on either tab to select all tags or all HTTP codes. Click Clear selection on a given tab to clear selections on that tab or Clear all to clear all Query builder filters.

  4. Exit the Query builder.

  5. Click Search.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.