Searching for requests
Last updated 2024-12-03
You can use the web interface to view a list of individual requests that have been tagged with signals and that fit into the all or sampled data storage category. This guide describes the different search functionality and search syntax you can use to narrow this list.
Filtering
You can use filters to find requests that meet specific criteria. Selected values auto-populate in the search bar where you can further modify the query.
- Next-Gen WAF control panel
- Fastly control panel
Filter options on the Requests page include:
- Time: filters the requests list based on when the requests were sent. For example, when
2 hours
is selected, only requests that were made in the last two hours appear on the page. - Attack signals: filters the requests list based on the attack signals that requests are tagged with. For example, when
Attack Tooling
is selected, only requests tagged with theAttack Tooling
signal appear on the page. - Anomaly signals: filters the requests list based on the anomaly signals that requests are tagged with. For example, when
Address Changed
is selected, only requests tagged with theAddress Changed
signal appear on the page. - Response codes: filters the requests list based on the response codes associated with requests. For example, when
404
is selected, only requests with a404
response code appear on the page.
Search bar
You can enter free-text and explicit queries into the search bar to find requests that meet specific criteria. Explicit queries follow the <key><operator><value>
syntax, where:
- the key is the field to search upon.
- the operator defines the relationship of the key to the value.
- the value is the specific value used to filter the requests list.
Example free-text and explicit queries are as follows:
Free-text query | Explicit query | Description |
---|---|---|
/a/path/here sqli -7h | path:/a/path/here sqli from:-7h | Show all SQLI in last 7 hours with this particular path |
RU | country:ru | All recent requests from Russia |
cn 500 | country:cn httpcode:500 | All recent requests from China that had a 500 error |
404 233.252.0.23 | httpcode:404 ip:233.252.0.23 | Recent requests from an IP that had a 404 error |
Keys
The keys that you can search on are as follows:
Name | Type | Description |
---|---|---|
agent | string | For Core WAF deployments, the agent is the server hostname (or alias) for the agent (agent:~hostname , agent:~appname , agent:hostname.appname , or agent:hostname-appname ). For Edge WAF deployments, the agent is the domain or server hostname the request is trying to access (e.g., agent:www.example.com ). |
agentcode | integer | The agents internal response code |
bytesout | integer | HTTP response size in bytes |
country | string | Request estimated country of origin (e.g., US, RU) |
from | time | Filter output with requests since a particular date |
httpcode | integer | The response's http response code |
ip | string | Single IPv4 (ip:198.51.100.128 )Single IPv6 ( ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225 )IPv4 CIDR ( ip:198.51.100.0/24 )IPv6 CIDR ( ip:2001:0db8:1681:f16f::/64 )IPv4 range ( ip:198.51.100.0..198.51.100.255 )IPv6 range ( ip:2001:0db8:1681:f16f:: through 2001:0db8:1681:f16f:ffff:ffff:ffff:ffff ) |
ja3 | string | JA3 fingerprint |
method | string | HTTP Method (e.g., GET, POST) |
path | string | Request URL path, does not include query parameters |
payload | string | The data that triggered a signal (i.e., the attack value) |
protocol | string | HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0 |
ratelimited | string | Requests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal> . You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for. |
responsemillis | integer | HTTP response time in milliseconds |
remotehost | string | Remote hostname (remotehost:www.example.com ) or subdomain match (remotehost:~example.com ) |
server | string | Requested server name in the http request (e.g., example.com if http://example.com/name ) |
tag | string | A particular signal on a request (e.g., SQLI, XSS) |
target | string | Server + Path |
sort | string | Sort with time-asc (oldest first) or time-desc (most recent first) |
until | time | Filter output with request before a particular date |
useragent | string | The request's user agent (browser) |
Operators
When using operators, keep in mind the following:
- All values below can be quoted to allow for spaces.
- Adding
-
(minus) before any key negates the operation. - Different key names function as an AND operator (
from:-1h path:/foo
). - Multiple keys with the same name function as an OR operator (
path:/foo path:/bar
should return paths matching either/foo
or/bar
).
Supported operators include:
Operator | Meaning |
---|---|
key:value | equals |
key:=value | equals, alternate syntax |
-key:value | not equals, general negation of all operators |
key:!=value | not equals, alternate syntax |
key:>value | greater-than, integers only |
key:>=value | equals or greater-than, integers only |
key:<value | less-than, integers only |
key:<=value | equals or less-than, integers only |
key:value1..value2 | in range between value1 and value2 , integers only. For time see from and until |
key:~value | search on the field with the terms provided |
Time
Time ranges can be specified in a number of ways using the from
and until
keys.
Queries on the Requests page are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to find results from 2 weeks ago, your query would need to use from:-21d until:-14d
, which would be a 7 day window. A query of just from:-21d
would not yield any results as that would be a 21 day window.
Relative time
Suffix | Meaning |
---|---|
-5s | 5 seconds ago (from now) |
-5min | 5 minutes ago |
-5h | 5 hours ago |
-5d | 5 days ago |
-5w | 5 weeks ago |
-5mon | 5 months ago |
-5y | 5 year ago |
Example:
from:-5h
(until now)from:-5h until:-4h
(one hour range)
Absolute time
Absolute time is also allowed using
- Unix UTC Seconds Since Epoch
- Java/JavaScript UTC Milliseconds since Epoch
- ISO Date format
YYYYMMDD
Example Absolute Time: Unix UTC Seconds
from:141384000
(until now)from:141384000 until:1413844691
Example Absolute Time: Java/JavaScript Milliseconds UTC
from:141384000000
(until now)from:141384000000 until:1413844691000
Example Absolute Date: YYYYMMDD
from:20141031
(until now)from:20141031 until:20141225
You can also mix and match time formats:
from:20141031 until:-1h
Query builder
IMPORTANT
The Query builder is only available in the Fastly control panel, not the Next-Gen WAF control panel.
The Query builder lets you filter for requests with a specific combination of tags (e.g. NOUA) and HTTP status codes (e.g. 404, 500).
To filter results using the Query builder:
Use the Time menu to specify a time range for when requests were sent.
Click Query builder.
From the Tag and HTTP Code tabs, select the combinations of tags and codes you want to filter on. Your selections are populated in the search bar.
Click Select All on either tab to select all tags or all HTTP codes. Click Clear selection on a given tab to clear selections on that tab or Clear all to clear all Query builder filters.
Exit the Query builder.
Click Search.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.