summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author姜鹏辉 <[email protected]>2021-07-09 11:04:18 +0800
committer姜鹏辉 <[email protected]>2021-07-09 11:04:18 +0800
commit446e465c3bf75d7d7c60c8680ffc76143bd091a2 (patch)
treeab4594b49143a416da9035ea73910cc27d81e306
init commit
Diffstat
-rw-r--r--.gitignore2
-rw-r--r--README.md32
-rw-r--r--install.sh14
-rw-r--r--log/ch-2021-07-02-19-34-16.json1
-rw-r--r--log/ch-2021-07-02-19-35-12.json1
-rw-r--r--run.sh7
-rw-r--r--src/auto-ol.json320
-rw-r--r--src/autotest.py145
-rw-r--r--src/config20
-rw-r--r--src/openlookeng_driver.py308
-rw-r--r--src/poc-ch.json320
-rw-r--r--temp.py83
-rw-r--r--whl/clickhouse_driver-0.1.2-cp27-cp27m-manylinux1_x86_64.whlbin0 -> 440629 bytes
-rw-r--r--whl/clickhouse_driver-0.1.2-cp27-cp27mu-manylinux1_x86_64.whlbin0 -> 440664 bytes
-rw-r--r--whl/clickhouse_driver-0.2.1-cp35-cp35m-manylinux1_x86_64.whlbin0 -> 592006 bytes
-rw-r--r--whl/requests_toolbelt-0.9.1-py2.py3-none-any.whlbin0 -> 54314 bytes
16 files changed, 1253 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..327d6a0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.log
+*.tgz
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b05fe76
--- /dev/null
+++ b/README.md
@@ -0,0 +1,32 @@
+
+
+在OpenLookeng上执行POC测试
+<https://docs.mesalab.cn/display/DataVirtualizationEngine-
+
+
+
+
+### 目录结构
+
+```
+- install.sh # 依赖安装脚本
+- run.sh # 测试脚本
+- require
+> log 日志目录
+ - install.log # 安装日志
+ - ch-result.log # ClickHouse运行统计日志
+ - ol-result.log # OpenLookeng运行统计日志
+ - ch-*.json # ClickHouse单次执行详细结果
+ - ol-*.json # OpenLookeng单次执行详细结果
+> src
+ - auto-ol.json # OpenLookeng测试语句
+ - poc-ch.json # ClickHouse测试语句
+ - config # 配置文件
+ - openlookeng_driver.py #openlookeng驱动文件
+ - run.py # python自动化测试脚本
+> whl # 离线安装包目录
+ - clickhouse_driver-0.1.2-cp27-cp27m-manylinux1_x86_64.whl
+ - clickhouse_driver-0.1.2-cp27-cp27mu-manylinux1_x86_64.whl
+ - clickhouse_driver-0.2.1-cp35-cp35m-manylinux1_x86_64.whl
+ - requests_toolbelt-0.9.1-py2.py3-none-any.whl
+``` \ No newline at end of file
diff --git a/install.sh b/install.sh
new file mode 100644
index 0000000..0b6c668
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,14 @@
+pip install ./whl/clickhouse_driver-0.1.2-cp27-cp27mu-manylinux1_x86_64.whl >> ./log/install.log 2>&1
+if [ "$?" == 0 ]
+then
+ echo "install clickhouse_driver success"
+else
+ echo "install clickhouse_driver error"
+fi
+pip install ./whl/requests_toolbelt-0.9.1-py2.py3-none-any.whl >> ./log/install.log 2>&1
+if [ "$?" == 0 ]
+then
+ echo "install requests_toolbelt success"
+else
+ echo "install requests_toolbelt error"
+fi \ No newline at end of file
diff --git a/log/ch-2021-07-02-19-34-16.json b/log/ch-2021-07-02-19-34-16.json
new file mode 100644
index 0000000..d3c3205
--- /dev/null
+++ b/log/ch-2021-07-02-19-34-16.json
@@ -0,0 +1 @@
+{"Q1": {"sql": "SELECT count(1) from connection_record_log WHERE common_recv_time >= toUnixTimestamp('2021-05-30 12:00:00') AND common_recv_time < toUnixTimestamp('2021-06-30 12:00:00')", "used_time": 0.023772716522216797, "data_num": 0, "info": ""}} \ No newline at end of file
diff --git a/log/ch-2021-07-02-19-35-12.json b/log/ch-2021-07-02-19-35-12.json
new file mode 100644
index 0000000..7474548
--- /dev/null
+++ b/log/ch-2021-07-02-19-35-12.json
@@ -0,0 +1 @@
+{"Q1": {"sql": "SELECT count(1) from connection_record_log WHERE common_recv_time >= toUnixTimestamp('2021-05-30 12:00:00') AND common_recv_time < toUnixTimestamp('2021-06-30 12:00:00')", "used_time": 0.02090907096862793, "data_num": 0, "info": ""}, "Q2": {"sql": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp('2021-05-30 12:00:00') AND common_recv_time < toUnixTimestamp('2021-06-30 12:00:00') LIMIT 30", "used_time": 0.13411307334899902, "data_num": 0, "info": ""}} \ No newline at end of file
diff --git a/run.sh b/run.sh
new file mode 100644
index 0000000..7168353
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,7 @@
+for i in {1,2,3}
+do
+python ./src/autotest.py ch
+echo 1 > /proc/sys/vm/drop_caches
+python ./src/autotest.py ol
+echo 1 > /proc/sys/vm/drop_caches
+done \ No newline at end of file
diff --git a/src/auto-ol.json b/src/auto-ol.json
new file mode 100644
index 0000000..88569a4
--- /dev/null
+++ b/src/auto-ol.json
@@ -0,0 +1,320 @@
+{
+ "pre": "use tsg_galaxy_v3",
+ "Q1": "SELECT count(1) from connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2)",
+ "Q2": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) LIMIT 30",
+ "Q3": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q4": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time asc LIMIT 30",
+ "Q5": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q6": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q7": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q8": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q9": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q10": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q11": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q12": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q13": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q14": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q15": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q16": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q17": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q18": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q19": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q20": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q21": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q22": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q23": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND mail_account='[email protected]' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q24": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q25": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q26": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q27": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q28": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q29": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q30": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q31": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q32": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q33": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q34": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
+ "Q35": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q36": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q37": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q38": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q39": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q40": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q41": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q42": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q43": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q44": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q45": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q46": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q47": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q48": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q49": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q50": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q51": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q52": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q53": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q54": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q55": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q56": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND mail_account='[email protected]' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q57": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q58": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q59": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q60": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q61": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q62": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q63": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q64": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q65": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q66": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q67": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
+ "Q68": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q69": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q70": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q71": "SELECT * FROM connection_record_log AS connection_record_log WHERE from_unixtime(common_recv_time,'UTC+8') IN ( SELECT from_unixtime(common_recv_time,'UTC+8') FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q72": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q73": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE from_unixtime(common_recv_time,'UTC+8') IN ( SELECT from_unixtime(common_recv_time,'UTC+8') FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q74": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( select common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2)) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q75": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q76": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q77": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q78": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q79": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q80": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q81": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q82": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q83": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q84": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q85": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q86": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q87": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q88": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q89": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q90": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q91": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q92": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q93": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q94": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q95": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q96": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q97": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q98": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q99": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q100": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q101": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q102": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q103": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q104": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q105": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q106": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q107": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q108": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q109": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q110": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q111": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q112": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q113": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q114": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q115": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q116": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q117": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q118": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q119": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q120": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q121": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q122": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q123": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q124": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q125": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q126": "SELECT from_unixtime(common_recv_time,'UTC+8') , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q127": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q128": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q129": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q130": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q131": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q132": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q133": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q134": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q135": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q136": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q137": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q138": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q139": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q140": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q141": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q142": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q143": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q144": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q145": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q146": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q147": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q148": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q149": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q150": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q151": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q152": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q153": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q154": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q155": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q156": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q157": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q158": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q159": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q160": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q161": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q162": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q163": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q164": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q165": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q166": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q167": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q168": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q169": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q170": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q171": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q172": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q173": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q174": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q175": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q176": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q177": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q178": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q179": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", count(common_log_id) AS \"logs\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q180": "SELECT from_unixtime(cast(common_recv_time/30 as int) * 30,'UTC+8') AS stat_time, sum(common_c2s_byte_num) AS bytes_sent, sum(common_s2c_byte_num) AS bytes_received, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) GROUP BY from_unixtime(cast(common_recv_time/30 as int) * 30,'UTC+8') ORDER BY stat_time ASC LIMIT 10000",
+ "Q181": "SELECT from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8') AS stat_time, common_schema_type AS type, sum(common_sessions) AS sessions, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) GROUP BY from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8'), common_schema_type ORDER BY stat_time ASC LIMIT 10000",
+ "Q182": "SELECT round(sum(common_s2c_byte_num) * 8 / 300,2) AS trafficInBits, round(sum(common_c2s_byte_num) * 8 / 300,2) AS trafficOutBits, round(sum(common_s2c_byte_num + common_c2s_byte_num) * 8 / 300,2) AS trafficTotalBits, round(sum(common_s2c_pkt_num) / 300,2) AS trafficInPackets, round(sum(common_c2s_pkt_num) / 300,2) AS trafficOutPackets, round(sum(common_s2c_pkt_num + common_c2s_pkt_num) / 300,2) AS trafficTotalPackets, round(sum(common_sessions) / 300,2) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2)",
+ "Q183": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", approx_distinct(common_internal_ip) AS \"Unique Internal IP\", approx_distinct(common_external_ip) AS \"Unique External IP\", approx_distinct(common_subscriber_id) AS \"Unique Subscriber ID\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q184": "SELECT 'all' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) UNION ALL SELECT 'tcp' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) UNION ALL SELECT 'UDP' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND common_l4_protocol IN ( 'IPv4_UDP', 'IPv6_UDP' )",
+ "Q185": "SELECT from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8') AS stat_time, (CASE WHEN common_stream_dir = 1 THEN 'c2s' WHEN common_stream_dir = 2 THEN 's2c' WHEN common_stream_dir = 3 THEN 'double' ELSE 'None' END) AS type, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) GROUP BY from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8'), common_stream_dir ORDER BY stat_time ASC LIMIT 10000",
+ "Q186": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(common_sessions) AS \"Sessions\", sum(if(common_stream_dir <> 3, common_sessions, 0)) AS \"one_side_sessions\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", round(one_side_sessions / sessions, 2) AS one_side_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q187": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(common_c2s_byte_num + common_s2c_byte_num) AS \"Bytes\", sum(common_c2s_tcp_lostlen + common_s2c_tcp_lostlen) AS \"gap_loss_bytes\", round(gap_loss_bytes / bytes, 2) AS gap_loss_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q188": "SELECT \"server_ip\" AS \"server_ip\" , SUM(coalesce(\"Bytes\",0)) AS \"Bytes\" , SUM(coalesce(\"bytes_sent\",0)) AS \"Sent\" , SUM(coalesce(\"bytes_received\",0)) AS \"Received\" , SUM(coalesce(\"Sessions\",0)) AS \"Sessions\" FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS \"bytes_sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"bytes_received\" , SUM(common_c2s_byte_num+common_s2c_byte_num) AS \"Bytes\" , SUM(coalesce(common_sessions,0)) AS \"Sessions\" , common_server_ip AS \"server_ip\" FROM connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(common_server_ip)!= 0 ) GROUP BY common_server_ip ORDER BY \"Bytes\" desc ) GROUP BY \"server_ip\" ORDER BY \"Bytes\" desc LIMIT 30",
+ "Q189": "SELECT common_client_ip , COUNT(*) AS sessions FROM connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) GROUP BY common_client_ip ORDER BY sessions desc LIMIT 30",
+ "Q190": "SELECT \"Server Port\" AS \"Server Port\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_server_port AS \"Server Port\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY common_server_port LIMIT 1048576) GROUP BY \"Server Port\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q191": "SELECT \"domain\" AS \"Website Domain\" , SUM(coalesce(\"Bytes\",0)) AS \"Throughput\" FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS \"bytes_sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"bytes_received\" , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS \"Bytes\" , http_domain AS \"domain\" FROM connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain ORDER BY \"Bytes\" desc ) GROUP BY \"domain\" ORDER BY \"Throughput\" desc LIMIT 30",
+ "Q192": "SELECT \"device_id\" AS \"device_id\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(common_c2s_byte_num + common_s2c_byte_num) AS Bytes, common_device_id AS \"device_id\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY common_device_id ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"device_id\" ORDER BY \"Bytes\" DESC LIMIT 30",
+ "Q193": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Client IP\", 0)) AS \"Client IP\" FROM (SELECT http_domain AS \"Http.Domain\", approx_distinct(common_client_ip) AS \"Client IP\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain ORDER BY \"Client IP\" DESC LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Client IP\" DESC LIMIT 30",
+ "Q194": "SELECT \"Domain\" AS \"Domain\", avg(coalesce(\"Avg Establish Latency(ms)\", 0)) AS \"Avg Establish Latency(ms)\" FROM (SELECT http_domain AS \"Domain\", avg(coalesce(common_establish_latency_ms, 0)) AS \"Avg Establish Latency(ms)\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Avg Establish Latency(ms)\" DESC LIMIT 100",
+ "Q195": "SELECT \"source\" AS \"source\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) AS \"source\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"source\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q196": "SELECT \"destination\" AS \"destination\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) AS \"destination\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"destination\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q197": "SELECT \"server_location\" AS \"server_location\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT arrayElement(splitByString(',', common_server_location), length(splitByString(',', common_server_location))) AS \"server_location\", sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY \"server_location\" ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"server_location\" ORDER BY \"Bytes\" DESC LIMIT 30",
+ "Q198": "SELECT \"Http URL\" AS \"Http URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"Http URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY http_url LIMIT 1048576) GROUP BY \"Http URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q199": "SELECT \"server_ip\" AS \"server_ip\", groupUniqArray(coalesce(\"trans_app\", 0)) AS \"trans_app\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(common_c2s_byte_num + common_s2c_byte_num) AS \"Bytes\", groupUniqArray(concat(common_l4_protocol, '/', toString(common_server_port))) AS \"trans_app\", common_server_ip AS \"server_ip\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(common_server_ip)!= 0 ) GROUP BY \"server_ip\" ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"server_ip\" ORDER BY \"Bytes\" DESC LIMIT 30",
+ "Q200": "SELECT \"Subscriber ID\" AS \"Subscriber ID\", \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Http.Domain\", common_subscriber_id AS \"Subscriber ID\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 AND length(common_subscriber_id)!= 0 ) GROUP BY http_domain, common_subscriber_id ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"Subscriber ID\", \"Http.Domain\" ORDER BY \"Sessions\" DESC LIMIT 10000",
+ "Q201": "SELECT \"Http.Domain\" AS \"Http.Domain\" , \"Server IP\" AS \"Server IP\" , SUM(coalesce(\"Bytes Sent\",0)) AS \"Bytes Sent\" FROM ( SELECT common_server_ip AS \"Server IP\" , http_domain AS \"Http.Domain\" , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS \"Bytes\" , SUM(coalesce(common_c2s_byte_num,0)) AS \"Bytes Sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"Bytes Received\" FROM connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY common_server_ip , http_domain ORDER BY \"Bytes\" desc LIMIT 1048576 ) GROUP BY \"Http.Domain\" , \"Server IP\" ORDER BY \"Bytes Sent\" desc LIMIT 10000",
+ "Q202": "SELECT \"Http.Domain\" AS \"Http.Domain\", \"Client IP\" AS \"Client IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_client_ip AS \"Client IP\", http_domain AS \"Http.Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY common_client_ip, http_domain ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"Http.Domain\", \"Client IP\" ORDER BY \"Sessions\" DESC LIMIT 10000",
+ "Q203": "SELECT from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8') AS _time , http_domain AS Domain, COUNT(DISTINCT(common_client_ip)) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 GROUP BY http_domain ORDER BY SUM(common_s2c_byte_num+common_c2s_byte_num) DESC LIMIT 5 ) GROUP BY from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8') , http_domain ORDER BY from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8') DESC LIMIT 10000",
+ "Q204": "SELECT from_unixtime(cast(common_recv_time/3600 as int) * 3600,'UTC+8') AS stat_time , http_domain , approx_distinct(common_client_ip) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1)-604800 AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND length(http_domain)!= 0 GROUP BY http_domain ORDER BY COUNT(*) desc LIMIT 5 ) group by from_unixtime(cast(common_recv_time/3600 as int) * 3600,'UTC+8'), http_domain ORDER BY stat_time desc LIMIT 10000",
+ "Q205": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", common_device_id AS \"Device ID\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300,common_device_id LIMIT 10000",
+ "Q206": "SELECT \"Internal IP\" AS \"Internal IP\", \"Sled IP\" AS \"Sled IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_sled_ip AS \"Sled IP\", common_internal_ip AS \"Internal IP\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY common_sled_ip, common_internal_ip LIMIT 1048576) GROUP BY \"Internal IP\", \"Sled IP\" ORDER BY \"Sessions\" DESC LIMIT 10000",
+ "Q207": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_log_id=1153021139190754263 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q208": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip='36.189.226.21' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q209": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_internal_ip='223.116.37.192' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q210": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_ip='8.8.8.8' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q211": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_external_ip='111.10.53.14' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q212": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_port=52607 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q213": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_port=443 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q214": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_c2s_pkt_num>5 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q215": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_s2c_pkt_num>5 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q216": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_c2s_byte_num>100 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q217": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_s2c_byte_num<200 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q218": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_schema_type='DNS' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q219": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_establish_latency_ms>200 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q220": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_con_duration_ms>10000 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q221": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_stream_trace_id=1153021139190754263 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q222": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_tcp_client_isn=2857077935 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q223": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_tcp_server_isn=0 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q224": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain='microsoft.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q225": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_account='[email protected]' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q226": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_subject='test' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q227": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND dns_qname='qbwup.imtt.qq.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q228": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_sni='note.youdao.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q229": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_con_latency_ms>100 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q230": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q231": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q232": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q233": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_account like 'abc@%' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q234": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain like '%baidu.com%' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q235": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_sni like '%youdao.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q236": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q237": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_port not in (80,443) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q238": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND length(http_domain)!= 0 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q239": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain not like '%microsoft.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+ "Q240": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_log_id=1153021139190754263 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q241": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip='36.189.226.21' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q242": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_internal_ip='223.116.37.192' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q243": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_ip='8.8.8.8' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q244": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_external_ip='111.10.53.14' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q245": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_port=52607 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q246": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_port=443 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q247": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_c2s_pkt_num>5 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q248": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_s2c_pkt_num>5 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q249": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_c2s_byte_num>100 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q250": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_s2c_byte_num<200 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q251": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_schema_type='DNS' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q252": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_establish_latency_ms>200 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q253": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_con_duration_ms>10000 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q254": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q255": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_tcp_client_isn=2857077935 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q256": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_tcp_server_isn=0 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q257": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain='microsoft.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q258": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_account='[email protected]' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q259": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_subject='test' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q260": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q261": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_sni='note.youdao.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q262": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_con_latency_ms>100 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q263": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q264": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q265": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q266": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_account like 'abc@%' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q267": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain like '%baidu.com%' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q268": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_sni like '%youdao.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q269": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q270": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_port not in (80,443) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q271": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND length(http_domain)!= 0 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q272": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain not like '%microsoft.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q273": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_log_id=1153021139190754263 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q274": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip='36.189.226.21' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q275": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_internal_ip='223.116.37.192' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q276": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_ip='8.8.8.8' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q277": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_external_ip='111.10.53.14' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q278": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_port=52607 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q279": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_port=443 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q280": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_c2s_pkt_num>5 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q281": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_s2c_pkt_num>5 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q282": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_c2s_byte_num>100 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q283": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_s2c_byte_num<200 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q284": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_schema_type='DNS' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q285": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_establish_latency_ms>200 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q286": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_con_duration_ms>10000 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q287": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q288": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_tcp_client_isn=2857077935 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q289": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_tcp_server_isn=0 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q290": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain='microsoft.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q291": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_account='[email protected]' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q292": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_subject='test' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q293": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q294": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_sni='note.youdao.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q295": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_con_latency_ms>100 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q296": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q297": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q298": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q299": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND mail_account like 'abc@%' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q300": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain like '%baidu.com%' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q301": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND ssl_sni like '%youdao.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q302": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q303": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND common_server_port not in (80,443) ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q304": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND length(http_domain)!= 0 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q305": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) AND http_domain not like '%microsoft.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+ "Q306": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Unique Client IP\", 0)) AS \"Unique Client IP\", sum(coalesce(\"Unique Subscriber ID\", 0)) AS \"Unique Subscriber ID\" FROM (SELECT http_domain AS \"Http.Domain\", approx_distinct(common_client_ip) AS \"Unique Client IP\", approx_distinct(common_subscriber_id) AS \"Unique Subscriber ID\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Unique Client IP\" DESC LIMIT 100",
+ "Q307": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Packets Sent\", 0)) AS \"Packets Sent\" FROM (SELECT http_domain AS \"Http.Domain\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Packets Sent\" DESC LIMIT 100",
+ "Q308": "SELECT \"Internal IP\" AS \"Internal IP\", \"External IP\" AS \"External IP\", \"Sled IP\" AS \"Sled IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_sled_ip AS \"Sled IP\", common_external_ip AS \"External IP\", common_internal_ip AS \"Internal IP\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes Sent+Bytes Received\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY common_sled_ip, common_external_ip ,common_internal_ip LIMIT 1048576) GROUP BY \"Internal IP\", \"External IP\", \"Sled IP\" ORDER BY \"Sessions\" DESC LIMIT 500",
+ "Q309": "SELECT \"Client ASN\" AS \"Client ASN\", \"Server ASN\" AS \"Server ASN\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_server_asn AS \"Server ASN\", common_client_asn AS \"Client ASN\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY common_server_asn, common_client_asn LIMIT 1048576) GROUP BY \"Client ASN\", \"Server ASN\" ORDER BY \"Sessions\" DESC LIMIT 500",
+ "Q310": "SELECT \"SSL.SNI\" AS \"SSL.SNI\", \"Client IP\" AS \"Client IP\", avg(coalesce(\"Establish Latency(ms)\", 0)) AS \"Establish Latency(ms)\" FROM (SELECT common_client_ip AS \"Client IP\", ssl_sni AS \"SSL.SNI\", avg(coalesce(common_establish_latency_ms, 0)) AS \"Establish Latency(ms)\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) ) ) GROUP BY common_client_ip, ssl_sni LIMIT 1048576) GROUP BY \"SSL.SNI\", \"Client IP\" ORDER BY \"Establish Latency(ms)\" DESC LIMIT 500",
+ "Q311": "select FROM_UNIXTIME(min(common_recv_time)) as \"First Seen\" , FROM_UNIXTIME(max(common_recv_time)) as \"Last Seen\" , median(http_response_lantency_ms) as \"Server Processing Time Median(ms)\", count(1) as Responses,any(common_server_location) as Location from connection_record_log WHERE common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) AND http_domain='baidu.com'",
+ "Q312": "select common_client_ip as \"Client IP\" , avg(common_establish_latency_ms) as \"Establishing Time Mean(ms)\", count(1) as Responses,any(common_client_location) as Location from connection_record_log where common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) and http_domain='baidu.com' group by \"Client IP\" order by Responses desc limit 100",
+ "Q313": "select common_server_ip as \"Server IP\" , avg(http_response_lantency_ms) as \"Server Processing Time Mean(ms)\", count(1) as Responses,any(common_server_location) as Location from connection_record_log where common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) and http_domain='baidu.com' group by \"Server IP\" order by Responses desc limit 100",
+ "Q314": "select http_url as \"URI\" , avg(http_response_lantency_ms) as \"Server Processing Time Mean(ms)\", count(1) as Responses from connection_record_log where common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) and http_domain='baidu.com' group by http_url order by Responses desc limit 100",
+ "Q315": "select common_l7_protocol as \"Protocol\" , approx_distinct(common_client_ip) as \"Clients\" , approx_distinct(common_server_ip) as \"Servers\", count(1) as Sessions,sum(common_c2s_byte_num+common_s2c_byte_num) as bytes from connection_record_log where common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) and length(common_l7_protocol)!= 0 group by common_l7_protocol order by bytes desc",
+ "Q316": "select common_client_ip as \"Client IP\" , count(1) as Sessions,sum(common_c2s_byte_num) as \"Bytes Out\", sum(common_s2c_byte_num) as \"Bytes In\",any(common_client_location) as Location from connection_record_log where common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) and common_l7_protocol='SIP' group by \"Client IP\" order by Sessions desc limit 100",
+ "Q317": "select common_server_ip as \"Server IP\" , count(1) as Sessions,sum(common_c2s_byte_num) as \"Bytes Out\", sum(common_s2c_byte_num) as \"Bytes In\",any(common_server_location) as Location from connection_record_log where common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2) and common_l7_protocol='SIP' group by \"Server IP\" order by Sessions desc limit 100"
+} \ No newline at end of file
diff --git a/src/autotest.py b/src/autotest.py
new file mode 100644
index 0000000..edd32c1
--- /dev/null
+++ b/src/autotest.py
@@ -0,0 +1,145 @@
+# -*- coding: utf-8 -*-
+import clickhouse_driver
+import openlookeng_driver
+import json,time,logging,sys
+import configparser
+olconfig = {}
+chconfig = {}
+
+time1,time2 = '',''
+sql_timeout = 2000
+def change_sql(origin_sql):
+ changed_sql = origin_sql.replace("$time1","'" + time1 + "'").replace("$time2","'" + time2 + "'")
+ return changed_sql
+
+
+def execute_sql(client,sql):
+ start = time.time()
+ ans = client.execute(sql)
+ end = time.time()
+ return end-start
+
+def get_current_time():
+ return time.strftime("%Y-%m-%d-%H-%M-%S", time.localtime())
+
+def run_ch(test_sql,now_time = '2021'):
+ client = clickhouse_driver.Client(host=chconfig['host'],port=chconfig['port'],user=chconfig['user'] ,password=chconfig['password'])
+ results = {}
+ total_time = 0
+ suc_num,fail_num = 0,0
+ for k,v in test_sql.items():
+ result = {}
+ run_sql = change_sql(v)
+ result['sql'] = run_sql
+ try:
+ used_time = execute_sql(client,run_sql)
+ if k == 'pre':
+ continue
+ total_time += used_time
+ result['used_time'] = used_time
+ result['data_num'] = 0
+ result['info'] = ''
+ suc_num += 1
+ print("running Q{} success , {}√,{}×".format(k,suc_num,fail_num))
+ except Exception as e:
+ result['used_time'] = -1
+ result['data_num'] = -1
+ result['info'] = str(e)
+ fail_num += 1
+ print("running Q{} success , {}√,{}×".format(k,suc_num,fail_num))
+
+ results[k] = result
+ try:
+ with open("../log/ch-"+now_time + ".json",'w') as file:
+ file.write(json.dumps(results))
+ except Exception as e:
+ print("error",e)
+ try:
+ with open("../log/ch-result.log","a+") as file:
+ file.write("{} success num: {} failed num: {} \n".format(now_time,suc_num,fail_num))
+ except Exception as e:
+ print(e)
+ time.sleep(10)
+
+
+
+def run_olk(test_sql,now_time = '2021'):
+ client = openlookeng_driver.Client(host=olconfig['host'],port=int(olconfig['port']),user=olconfig['user'],catalog=olconfig['catalog'],schema=olconfig['schema'])
+ client.add_logging(log_level=logging.DEBUG)
+ results = {}
+ total_time = 0
+ suc_num,fail_num = 0,0
+ for k,v in test_sql.items():
+ result = {}
+ run_sql = change_sql(v)
+ result['sql'] = run_sql
+ web_result = client.web_execute(run_sql)
+ used_time = float(web_result.get_used_time(sql_timeout)) # second
+ total_time += used_time
+ result['used_time'] = used_time
+ result['data_num'] = 0
+ result['info'] = web_result.error_info
+ if web_result.error_info == '':
+ suc_num += 1
+ print("running Q{} success , {}√,{}×".format(k,suc_num,fail_num))
+
+ else:
+ fail_num += 1
+ print("running Q{} success , {}√,{}×".format(k,suc_num,fail_num))
+ results[k] = result
+ try:
+ with open("../log/ol-" + now_time + ".json",'w') as file:
+ file.write(json.dumps(results))
+ except Exception as e:
+ print("error",e)
+ try:
+ with open("../log/ol-result.log","a+") as file:
+ file.write("{} success num: {} failed num: {} \n".format(now_time,suc_num,fail_num))
+ except Exception as e:
+ print(e)
+ time.sleep(10)
+
+def ch_poc():
+ with open("poc-ch.json",'r') as file:
+ now_time = get_current_time()
+ poc = json.loads(file.read())
+ run_ch(poc,now_time)
+
+def ol_poc():
+ with open("auto-ol.json",'r') as file:
+ now_time = get_current_time()
+ poc = json.loads(file.read())
+ run_olk(poc,now_time)
+
+
+def read_conf():
+ global time1,time2,sql_timeout,olconfig,chconfig
+ config = configparser.ConfigParser()
+ config.read("config")
+ time1 = config.get("run","time1")
+ time2 = config.get("run","time2")
+ sql_timeout = config.get("run","time_out")
+ chconfig['host'] = config.get("clickhouse","host")
+ chconfig['port'] = config.get("clickhouse","port")
+ chconfig['user'] = config.get("clickhouse","user")
+ chconfig['password'] = config.get("clickhouse","password")
+
+ olconfig['host'] = config.get("openlookeng","host")
+ olconfig['port'] = config.get("openlookeng","port")
+ olconfig['user'] = config.get("openlookeng","user")
+ olconfig['catalog'] = config.get("openlookeng","catalog")
+ olconfig['schema'] = config.get("openlookeng","schema")
+
+
+if __name__ == "__main__":
+ read_conf()
+ if sys.argv[1] == 'ch':
+ print("run ch")
+ ch_poc()
+ else:
+ print("run ol")
+ ol_poc()
+
+
+
+
diff --git a/src/config b/src/config
new file mode 100644
index 0000000..0af947c
--- /dev/null
+++ b/src/config
@@ -0,0 +1,20 @@
+
+[clickhouse]
+host = 192.168.40.223
+port = 9001
+user = default
+password = 111111
+
+
+[openlookeng]
+host = 192.168.40.223
+port = 18080
+user = olk
+catalog = clickhouse223
+schema = tsg_galaxy_v3
+
+
+[run]
+time1 = 2021-05-30 12:00:00
+time2 = 2021-06-30 12:00:00
+time_out = 1200 \ No newline at end of file
diff --git a/src/openlookeng_driver.py b/src/openlookeng_driver.py
new file mode 100644
index 0000000..6645493
--- /dev/null
+++ b/src/openlookeng_driver.py
@@ -0,0 +1,308 @@
+# -*- coding: utf-8 -*-
+import requests,json,time,math,re,logging
+from requests_toolbelt import MultipartEncoder
+
+class Result:
+ def __init__(self,nextUri,timeout = 5):
+ self.__nextUri = nextUri
+ self.timeout = timeout
+ self.infoUri = None
+ self.__response = None
+ self.__status = None
+ self.__used_time = None
+
+ def __prettify_response(self,response):
+ if self.__status == 'FAILED':
+ return "{} {}".format("FAILED",response['error']['message'])
+ elif self.__status == 'FINISHED':
+ column_name = ""
+ for col in response['columns']:
+ column_name += col['name']
+ column_name += '\t'
+ if 'data' in response:
+ return "{} \n{}\n{}".format(self.__status,column_name,response['data'])
+ return "{} \n{}".format(self.__status,column_name)
+
+ def __get_result_immediately(self):
+ response = requests.get(self.__nextUri)
+ response_dict = json.loads(response.text)
+ if 'nextUri' not in response_dict:
+ self.__response = response_dict
+ self.__status = response_dict['stats']['state']
+ self.infoUri = response_dict['infoUri']
+ return response_dict
+ else:
+ self.__nextUri = response_dict['nextUri']
+ return None
+
+ def get_result(self,timeout = None):
+ # 获取执行结果,直到超时
+ if self.__response is not None:
+ return self.__response
+ if timeout is None:
+ timeout = self.timeout
+ use_time = 0
+ interval = 0.5
+ while True:
+ result = self.__get_result_immediately()
+ if result is not None:
+ return result
+ if use_time > timeout:
+ break
+ use_time += interval
+ time.sleep(interval)
+ interval = math.ceil(use_time/10)
+ return None
+
+ def print_result(self):
+ response = self.get_result()
+ print(self.__prettify_response(response))
+
+ def get_used_time(self,timeout = None):
+ if self.__used_time is not None:
+ return self.__used_time
+ response = self.get_result(timeout)
+ if self.__status == "FINISHED":
+ elapsedTimeMillis = response['stats']['elapsedTimeMillis']
+ else:
+ print(response['error']['message'])
+ return 0
+ return elapsedTimeMillis
+ def get_infoUri(self,timeout = None):
+ self.get_result(time)
+ return self.infoUri
+
+# web api
+class WebResult:
+ def __init__(self,sql,uuid,Client,logger):
+ self.sql = sql
+ self.uuid = uuid
+ self.client = Client
+ self.result = None
+ self.finished = False # 没运行完和执行失败时都是False
+ self.used_time = None
+ self.infoUri = None
+ self.csv_path = None
+ self.logger = logger
+ self.error_info = ''
+ def write_log(self,level = 'info',message = ''):
+ if self.logger is None:
+ return
+ if level == 'info':
+ self.logger.info(message)
+ elif level == 'debug':
+ self.logger.debug(message)
+ elif level == 'error':
+ self.logger.error(message)
+
+ # 尝试获取结果
+ def __get_result_immediately(self):
+ # 返回当前执行的状态
+ result = self.client.get_query(self.uuid)
+ if result is not None:
+ #print(result)
+ if result['state'] == 'FINISHED':
+ self.finished = True
+ self.used_time = result['queryStats']['elapsedTime']
+ self.infoUri = "http://{}:{}/ui/{}".format(self.client.host,self.client.port,result['infoUri'])
+ self.write_log('debug',"SQL : "+self.sql)
+ self.write_log('info','FINISHED {} {}'.format(self.used_time,self.infoUri))
+ elif result['state'] == 'FAILED':
+ #print(result['error']['message'])
+ self.error_info = result['error']['message']
+ self.write_log('error',"SQL : "+self.sql)
+ self.write_log('error',result['error']['message'])
+ else:
+ return None
+ return result
+
+ # 一直尝试获取结果,直到超时
+ def get_result(self,timeout = None):
+ if self.result is not None:
+ return self.result
+ if timeout is None:
+ timeout = 5
+ use_time = 0
+ interval = 0.5
+ while True:
+ result = self.__get_result_immediately()
+ if result is not None:
+ self.result = result
+ return result
+ if use_time > timeout:
+ break
+ use_time += interval
+ time.sleep(interval)
+ interval = math.ceil(use_time/10)
+ return None
+
+ def get_used_time(self,timeout = None):
+ self.get_result(timeout)
+ if self.used_time is None:
+ return 0
+ #print(self.used_time)
+ if "ms" in self.used_time:
+ return float(re.sub("ms","",self.used_time))/1000
+ elif "s" in self.used_time:
+ return float(re.sub("s","",self.used_time))
+ else:
+ return float(re.sub("m","",self.used_time))*60
+
+ def get_infoUri(self,timeout = None):
+ self.get_result(timeout)
+ return self.infoUri
+
+ def get_output(self,timeout = None):
+ csv_path = self.get_csv_path(timeout = None)
+ if csv_path is not None:
+ print_csv(csv_path)
+
+ def get_csv_path(self,timeout = None):
+ if self.csv_path is not None:
+ return self.csv_path
+ self.get_result(timeout)
+ if self.finished is False:
+ return None
+ elif self.result['output']['type'] == 'csv':
+ self.csv_path = "http://{}:{}{}".format(self.client.host,self.client.port,self.result['output']['location'][2:])
+ return self.csv_path
+ else:
+ print("output is {} Type".format(self.result['output']['type']))
+ return None
+
+ def download_csv(self,csv_name = None):
+ csv_path = self.get_csv_path(timeout = None)
+ if csv_path is not None:
+ if csv_name is None:
+ csv_name = csv_path.split('/')[-1]
+ print("csv_name:",csv_name)
+ response = requests.get(csv_path)
+ if response.status_code == 200:
+ content = response.content
+ with open(csv_name,'w') as file:
+ file.write(content)
+
+def print_csv(csv_path):
+ response = requests.get(csv_path)
+ if response.status_code == 200:
+ content = response.content.decode().strip()
+ lines = content.split('\n')
+ print_seperator = True
+ for line in lines:
+ print(line.replace('"','').replace(',',' | '))
+ if print_seperator:
+ print_seperator = False
+ length = len(line)
+ print("-"*length)
+
+ else:
+ print("Error -->",response.status_code)
+
+class Client:
+ def __init__(self,host="127.0.0.1",port=8080,user="lk",catalog="system",schema="runtime",timeout = 10000):
+ self.host = host
+ self.port = port
+ self.timeout = timeout
+ self.catalog = catalog
+ self.user = user
+ self.schema = schema
+ self.execute_url = "http://{}:{}{}".format(self.host,self.port,"/v1/statement")
+ self.web_execute_url = "http://{}:{}{}".format(self.host,self.port,"/api/execute")
+ self.get_history_url = "http://{}:{}{}".format(self.host,self.port,"/api/query/history")
+ self.login()
+ self.headers = {
+ "X-Presto-Catalog":catalog,
+ "X-Presto-Schema":schema,
+ "X-Presto-User":user,
+ "X-Presto-Source":"python_driver",
+ "source":"python_web_driver",
+ "Content-Type":"application/json"
+ }
+ #self.headers['Cookie'] = 'Presto-UI-Token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJyb290IiwiZXhwIjoxNjE5MDg2NDA1LCJhdWQiOiJwcmVzdG8tdWkifQ.vry3sNOgr4PqRPi83pbCs6JAHUaUlJJApEq-LXIJubU'
+ self.logger = None;
+
+ # 暂时无法获取到cookie
+ def login(self,username = 'root',password = ''):
+ login_header = {
+ "Content-Type":"application/x-www-form-urlencoded"
+ #"Cookie":"Presto-UI-Token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJyb290IiwiZXhwIjoxNjE5MDg2MTcyLCJhdWQiOiJwcmVzdG8tdWkifQ.II5qdon7c_nCQ3BBQhvv_dKQibtjYuMnDiIybhRpyzs"
+ }
+ login_url = "http://{}:{}{}".format(self.host,self.port,"/ui/api/login")
+ form_data = "username={}&password={}&loginOptions=on&redirectPath=".format(username,password)
+ response = requests.post(login_url,data = form_data,headers = login_header)
+ #return Cookie
+
+ def add_logging(self,log_file = None,log_level = logging.INFO):
+ logger = logging.getLogger()
+ logger.setLevel(log_level)
+ if log_file is None:
+ log_file = time.strftime('%Y%m%d', time.localtime(time.time())) + '.log'
+ log_handler = logging.FileHandler(log_file, mode='a')
+ log_handler.setLevel(log_level)
+
+ formatter = logging.Formatter("%(asctime)s - %(levelname)s: %(message)s")
+ log_handler.setFormatter(formatter)
+ logger.addHandler(log_handler)
+ logger.info("connect to {}:{} user:{} catalog:{} schema:{}".format(self.host,self.port,self.user,self.catalog,self.schema))
+ self.logger = logger
+
+ def execute(self,sql):
+ sql = sql.split(';')[0]
+ response = requests.post(self.execute_url,data = sql,headers = self.headers)
+ if response.ok:
+ return Result(json.loads(response.text)['nextUri'])
+ else:
+ return response.text
+
+ def web_execute(self,sql):
+ if ';' in sql:
+ sql = sql.split(';')[0]
+ payload = {
+ "query":sql,
+ "sessionContext": {
+ "catalog":self.catalog,
+ "schema":self.schema
+ }
+ }
+ payload_str = json.dumps(payload)
+ #print(payload_str)
+ response = requests.put(url = self.web_execute_url,data = payload_str,headers = self.headers)
+ self.uuid = json.loads(response.text)[0]['uuid']
+ return WebResult(sql,self.uuid,self,self.logger)
+
+ # 多条执行,以;作为分割
+ # 未测试
+ def web_executes(self,sql):
+ web_results = []
+ sql_list = sql.split(';')
+ for sql in sql_list:
+ web_result = self.web_execute(sql)
+ web_results.append(web_result)
+ return web_results
+
+ def web_execute_from_file(self,filename):
+ with open(filename,'r') as file:
+ web_results = self.web_executes(file.read())
+ return web_results
+
+ def get_all_query(self):
+ response = requests.get(self.get_history_url,headers = self.headers)
+ query_list = json.loads(response.text)
+ return query_list
+
+ def get_query(self,uuid):
+ query_list = self.get_all_query()
+ for query in query_list:
+ if query['uuid'] == uuid:
+ return query
+ return None
+
+if __name__ == "__main__":
+ client = Client(host='192.168.40.152',port=18080,user='lk',catalog='clickhouse152',schema='ssb')
+ client.add_logging(log_level=logging.DEBUG)
+
+ #result = client.web_execute("SELECT sum(LO_REVENUE), year(LO_ORDERDATE) AS year, P_BRAND FROM lineorder_flat WHERE P_CATEGORY = 'MFGR#12' AND S_REGION = 'AMERICA' GROUP BY year(LO_ORDERDATE), P_BRAND ORDER BY year(LO_ORDERDATE), P_BRAND LIMIT 3")
+ #result.get_output()
+ # web_ress = client.web_executes("select 1,2,3,4;select1")
+ # for w in web_ress:
+ # w.get_output()
diff --git a/src/poc-ch.json b/src/poc-ch.json
new file mode 100644
index 0000000..f4eb2e8
--- /dev/null
+++ b/src/poc-ch.json
@@ -0,0 +1,320 @@
+{
+ "pre": "use tsg_galaxy_v3",
+ "Q1": "SELECT count(1) from connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2)",
+ "Q2": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) LIMIT 30",
+ "Q3": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q4": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time asc LIMIT 30",
+ "Q5": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q6": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q7": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q8": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q9": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q10": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q11": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q12": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q13": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q14": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q15": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q16": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q17": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q18": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q19": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q20": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q21": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q22": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q23": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND mail_account='[email protected]' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q24": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q25": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q26": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q27": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q28": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q29": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q30": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q31": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q32": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q33": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q34": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
+ "Q35": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q36": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q37": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q38": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q39": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q40": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q41": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q42": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q43": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q44": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q45": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q46": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q47": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q48": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q49": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q50": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q51": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q52": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q53": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q54": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q55": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q56": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND mail_account='[email protected]' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q57": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q58": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q59": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q60": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q61": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q62": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q63": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+ "Q64": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q65": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q66": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q67": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
+ "Q68": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q69": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q70": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+ "Q71": "SELECT * FROM connection_record_log AS connection_record_log WHERE toDateTime(common_recv_time) IN ( SELECT toDateTime(common_recv_time) FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q72": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q73": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE toDateTime(common_recv_time) IN ( SELECT toDateTime(common_recv_time) FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q74": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( select common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2)) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q75": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q76": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q77": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q78": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q79": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q80": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q81": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q82": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q83": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q84": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q85": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q86": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q87": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q88": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q89": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q90": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q91": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q92": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q93": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q94": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q95": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q96": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q97": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q98": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q99": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q100": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q101": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q102": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q103": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q104": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q105": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q106": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q107": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q108": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q109": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q110": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q111": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q112": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q113": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q114": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q115": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q116": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q117": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q118": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q119": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q120": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q121": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q122": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q123": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q124": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q125": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q126": "SELECT toDateTime(common_recv_time) AS common_recv_time , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+ "Q127": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q128": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q129": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q130": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q131": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q132": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q133": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q134": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q135": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q136": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q137": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q138": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q139": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY toDateTime(common_recv_time) DESC LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q140": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q141": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q142": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q143": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q144": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q145": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q146": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q147": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q148": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q149": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q150": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q151": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q152": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q153": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q154": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q155": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q156": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q157": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q158": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q159": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q160": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q161": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q162": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q163": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q164": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q165": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q166": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q167": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q168": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q169": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q170": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q171": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q172": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q173": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q174": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q175": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q176": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q177": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND notEmpty(http_domain) ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q178": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+ "Q179": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, count(common_log_id) AS `logs` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) ) ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q180": "SELECT toDateTime(toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 30 SECOND)))) AS stat_time, sum(common_c2s_byte_num) AS bytes_sent, sum(common_s2c_byte_num) AS bytes_received, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) GROUP BY stat_time ORDER BY stat_time ASC LIMIT 10000",
+ "Q181": "SELECT toDateTime(toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE)))) AS stat_time, common_schema_type AS type, sum(common_sessions) AS sessions, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2) GROUP BY stat_time, common_schema_type ORDER BY stat_time ASC LIMIT 10000",
+ "Q182": "SELECT round(sum(common_s2c_byte_num) * 8 / 300,2) AS trafficInBits, round(sum(common_c2s_byte_num) * 8 / 300,2) AS trafficOutBits, round(sum(common_s2c_byte_num + common_c2s_byte_num) * 8 / 300,2) AS trafficTotalBits, round(sum(common_s2c_pkt_num) / 300,2) AS trafficInPackets, round(sum(common_c2s_pkt_num) / 300,2) AS trafficOutPackets, round(sum(common_s2c_pkt_num + common_c2s_pkt_num) / 300,2) AS trafficTotalPackets, round(sum(common_sessions) / 300,2) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toUnixTimestamp($time1) AND common_recv_time < toUnixTimestamp($time2)",
+ "Q183": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, uniq(common_internal_ip) AS `Unique Internal IP`, uniq(common_external_ip) AS `Unique External IP`, uniq(common_subscriber_id) AS `Unique Subscriber ID`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q184": "SELECT 'all' AS type, uniq(common_client_ip) AS client_ips, uniq(common_internal_ip) AS internal_ips, uniq(common_server_ip) AS server_ips, uniq(common_external_ip) AS external_ips, uniq(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) UNION ALL SELECT 'tcp' AS type, uniq(common_client_ip) AS client_ips, uniq(common_internal_ip) AS internal_ips, uniq(common_server_ip) AS server_ips, uniq(common_external_ip) AS external_ips, uniq(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) AND common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) UNION ALL SELECT 'UDP' AS type, uniq(common_client_ip) AS client_ips, uniq(common_internal_ip) AS internal_ips, uniq(common_server_ip) AS server_ips, uniq(common_external_ip) AS external_ips, uniq(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) AND common_l4_protocol IN ( 'IPv4_UDP', 'IPv6_UDP' )",
+ "Q185": "SELECT toDateTime(toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE)))) AS stat_time, (CASE WHEN common_stream_dir = 1 THEN 'c2s' WHEN common_stream_dir = 2 THEN 's2c' WHEN common_stream_dir = 3 THEN 'double' ELSE 'None' END) AS type, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) GROUP BY stat_time, common_stream_dir ORDER BY stat_time ASC LIMIT 10000",
+ "Q186": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(common_sessions) AS `Sessions`, sum(if(common_stream_dir <> 3, common_sessions, 0)) AS `one_side_sessions`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, round(one_side_sessions / sessions, 2) AS one_side_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q187": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(common_c2s_byte_num + common_s2c_byte_num) AS `Bytes`, sum(common_c2s_tcp_lostlen + common_s2c_tcp_lostlen) AS `gap_loss_bytes`, round(gap_loss_bytes / bytes, 2) AS gap_loss_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q188": "SELECT `server_ip` AS `server_ip` , SUM(coalesce(`Bytes`,0)) AS `Bytes` , SUM(coalesce(`bytes_sent`,0)) AS `Sent` , SUM(coalesce(`bytes_received`,0)) AS `Received` , SUM(coalesce(`Sessions`,0)) AS `Sessions` FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS `bytes_sent` , SUM(coalesce(common_s2c_byte_num,0)) AS `bytes_received` , SUM(common_c2s_byte_num+common_s2c_byte_num) AS `Bytes` , SUM(coalesce(common_sessions,0)) AS `Sessions` , common_server_ip AS `server_ip` FROM connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(common_server_ip) ) GROUP BY `server_ip` ORDER BY `Bytes` desc ) GROUP BY `server_ip` ORDER BY `Bytes` desc LIMIT 30",
+ "Q189": "SELECT common_client_ip , COUNT(*) AS sessions FROM connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) GROUP BY common_client_ip ORDER BY sessions desc LIMIT 0,30",
+ "Q190": "SELECT `Server Port` AS `Server Port`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT common_server_port AS `Server Port`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY `Server Port` LIMIT 1048576) GROUP BY `Server Port` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q191": "SELECT `domain` AS `Website Domain` , SUM(coalesce(`Bytes`,0)) AS `Throughput` FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS `bytes_sent` , SUM(coalesce(common_s2c_byte_num,0)) AS `bytes_received` , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS `Bytes` , http_domain AS `domain` FROM connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) ) GROUP BY `domain` ORDER BY `Bytes` desc ) GROUP BY `domain` ORDER BY `Throughput` desc LIMIT 30",
+ "Q192": "SELECT `device_id` AS `device_id`, sum(coalesce(`Bytes`, 0)) AS `Bytes`, sum(coalesce(`bytes_sent`, 0)) AS `Sent`, sum(coalesce(`bytes_received`, 0)) AS `Received` FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS `bytes_sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `bytes_received`, sum(common_c2s_byte_num + common_s2c_byte_num) AS Bytes, common_device_id AS `device_id` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `device_id` ORDER BY `Bytes` DESC LIMIT 1048576) GROUP BY `device_id` ORDER BY `Bytes` DESC LIMIT 30",
+ "Q193": "SELECT `Http.Domain` AS `Http.Domain`, sum(coalesce(`Client IP`, 0)) AS `Client IP` FROM (SELECT http_domain AS `Http.Domain`, uniq(common_client_ip) AS `Client IP` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) ) GROUP BY `Http.Domain` ORDER BY `Client IP` DESC LIMIT 1048576) GROUP BY `Http.Domain` ORDER BY `Client IP` DESC LIMIT 30",
+ "Q194": "SELECT `Domain` AS `Domain`, avg(coalesce(`Avg Establish Latency(ms)`, 0)) AS `Avg Establish Latency(ms)` FROM (SELECT http_domain AS `Domain`, avg(coalesce(common_establish_latency_ms, 0)) AS `Avg Establish Latency(ms)` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Avg Establish Latency(ms)` DESC LIMIT 100",
+ "Q195": "SELECT `source` AS `source`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) AS `source`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `source` ORDER BY `Sessions` DESC LIMIT 1048576) GROUP BY `source` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q196": "SELECT `destination` AS `destination`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) AS `destination`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `destination` ORDER BY `Sessions` DESC LIMIT 1048576) GROUP BY `destination` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q197": "SELECT `server_location` AS `server_location`, sum(coalesce(`Bytes`, 0)) AS `Bytes`, sum(coalesce(`bytes_sent`, 0)) AS `Sent`, sum(coalesce(`bytes_received`, 0)) AS `Received` FROM (SELECT arrayElement(splitByString(',', common_server_location), length(splitByString(',', common_server_location))) AS `server_location`, sum(coalesce(common_c2s_byte_num, 0)) AS `bytes_sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `bytes_received`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `server_location` ORDER BY `Bytes` DESC LIMIT 1048576) GROUP BY `server_location` ORDER BY `Bytes` DESC LIMIT 30",
+ "Q198": "SELECT `Http URL` AS `Http URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `Http URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Http URL` LIMIT 1048576) GROUP BY `Http URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q199": "SELECT `server_ip` AS `server_ip`, groupUniqArray(coalesce(`trans_app`, 0)) AS `trans_app`, sum(coalesce(`Bytes`, 0)) AS `Bytes`, sum(coalesce(`bytes_sent`, 0)) AS `Sent`, sum(coalesce(`bytes_received`, 0)) AS `Received` FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS `bytes_sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `bytes_received`, sum(common_c2s_byte_num + common_s2c_byte_num) AS `Bytes`, groupUniqArray(concat(common_l4_protocol, '/', toString(common_server_port))) AS `trans_app`, common_server_ip AS `server_ip` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(common_server_ip) ) GROUP BY `server_ip` ORDER BY `Bytes` DESC LIMIT 1048576) GROUP BY `server_ip` ORDER BY `Bytes` DESC LIMIT 30",
+ "Q200": "SELECT `Subscriber ID` AS `Subscriber ID`, `Http.Domain` AS `Http.Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Http.Domain`, common_subscriber_id AS `Subscriber ID`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) AND notEmpty(common_subscriber_id) ) GROUP BY `Http.Domain`, `Subscriber ID` ORDER BY `Sessions` DESC LIMIT 1048576) GROUP BY `Subscriber ID`, `Http.Domain` ORDER BY `Sessions` DESC LIMIT 10000",
+ "Q201": "SELECT `Http.Domain` AS `Http.Domain` , `Server IP` AS `Server IP` , SUM(coalesce(`Bytes Sent`,0)) AS `Bytes Sent` FROM ( SELECT common_server_ip AS `Server IP` , http_domain AS `Http.Domain` , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS `Bytes` , SUM(coalesce(common_c2s_byte_num,0)) AS `Bytes Sent` , SUM(coalesce(common_s2c_byte_num,0)) AS `Bytes Received` FROM connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) ) GROUP BY `Server IP` , `Http.Domain` ORDER BY `Bytes` desc LIMIT 1048576 ) GROUP BY `Http.Domain` , `Server IP` ORDER BY `Bytes Sent` desc LIMIT 10000",
+ "Q202": "SELECT `Http.Domain` AS `Http.Domain`, `Client IP` AS `Client IP`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT common_client_ip AS `Client IP`, http_domain AS `Http.Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) ) GROUP BY `Client IP`, `Http.Domain` ORDER BY `Sessions` DESC LIMIT 1048576) GROUP BY `Http.Domain`, `Client IP` ORDER BY `Sessions` DESC LIMIT 10000",
+ "Q203": "SELECT toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),300)*300) AS _time , http_domain AS Domain, COUNT(DISTINCT(common_client_ip)) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) AND notEmpty(http_domain) AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) AND notEmpty(http_domain) GROUP BY http_domain ORDER BY SUM(common_s2c_byte_num+common_c2s_byte_num) DESC LIMIT 5 ) GROUP BY toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),300)*300) , http_domain ORDER BY toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),300)*300) DESC LIMIT 10000",
+ "Q204": "SELECT toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),3600)*3600) AS stat_time , http_domain , uniq(common_client_ip) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1)-604800 AND common_recv_time < toDateTime($time2) AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) AND notEmpty(http_domain) GROUP BY http_domain ORDER BY COUNT(*) desc LIMIT 5 ) group by toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 3600)*3600), http_domain ORDER BY stat_time desc LIMIT 10000",
+ "Q205": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, common_device_id AS `Device ID`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Receive Time`, `Device ID` LIMIT 10000",
+ "Q206": "SELECT `Internal IP` AS `Internal IP`, `Sled IP` AS `Sled IP`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT common_sled_ip AS `Sled IP`, common_internal_ip AS `Internal IP`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Sled IP`, `Internal IP` LIMIT 1048576) GROUP BY `Internal IP`, `Sled IP` ORDER BY `Sessions` DESC LIMIT 10000",
+ "Q207": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_log_id=1153021139190754263 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q208": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip='36.189.226.21' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q209": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_internal_ip='223.116.37.192' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q210": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_ip='8.8.8.8' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q211": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_external_ip='111.10.53.14' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q212": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_port=52607 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q213": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_port=443 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q214": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_c2s_pkt_num>5 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q215": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_s2c_pkt_num>5 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q216": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_c2s_byte_num>100 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q217": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_s2c_byte_num<200 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q218": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_schema_type='DNS' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q219": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_establish_latency_ms>200 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q220": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_con_duration_ms>10000 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q221": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_stream_trace_id=1153021139190754263 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q222": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_tcp_client_isn=2857077935 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q223": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_tcp_server_isn=0 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q224": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain='microsoft.com' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q225": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_account='[email protected]' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q226": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_subject='test' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q227": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q228": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_sni='note.youdao.com' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q229": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_con_latency_ms>100 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q230": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q231": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q232": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q233": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_account like 'abc@%' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q234": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain like '%baidu.com%' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q235": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_sni like '%youdao.com' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q236": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q237": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_port not in (80,443) ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q238": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND notEmpty(http_domain) ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q239": "SELECT toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE))) AS `Receive Time`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes`, sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS `Packets`, sum(coalesce(common_sessions, 0)) AS `New Sessions`, sum(coalesce(common_c2s_byte_num, 0)) AS `Bytes Sent`, sum(coalesce(common_s2c_byte_num, 0)) AS `Bytes Received`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent`, sum(coalesce(common_s2c_pkt_num, 0)) AS `Packets Received` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain not like '%microsoft.com' ) GROUP BY `Receive Time` LIMIT 10000",
+ "Q240": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_log_id=1153021139190754263 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q241": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip='36.189.226.21' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q242": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_internal_ip='223.116.37.192' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q243": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_ip='8.8.8.8' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q244": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_external_ip='111.10.53.14' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q245": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_port=52607 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q246": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_port=443 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q247": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_c2s_pkt_num>5 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q248": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_s2c_pkt_num>5 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q249": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_c2s_byte_num>100 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q250": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_s2c_byte_num<200 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q251": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_schema_type='DNS' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q252": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_establish_latency_ms>200 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q253": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_con_duration_ms>10000 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q254": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q255": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_tcp_client_isn=2857077935 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q256": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_tcp_server_isn=0 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q257": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain='microsoft.com' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q258": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_account='[email protected]' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q259": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_subject='test' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q260": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q261": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_sni='note.youdao.com' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q262": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_con_latency_ms>100 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q263": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q264": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q265": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q266": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_account like 'abc@%' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q267": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain like '%baidu.com%' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q268": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_sni like '%youdao.com' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q269": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q270": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_port not in (80,443) ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q271": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND notEmpty(http_domain) ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q272": "SELECT `Domain` AS `Domain`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_domain AS `Domain`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain not like '%microsoft.com' ) AND ( notEmpty(http_domain) ) GROUP BY `Domain` LIMIT 1048576) GROUP BY `Domain` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q273": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_log_id=1153021139190754263 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q274": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip='36.189.226.21' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q275": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_internal_ip='223.116.37.192' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q276": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_ip='8.8.8.8' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q277": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_external_ip='111.10.53.14' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q278": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_port=52607 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q279": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_port=443 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q280": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_c2s_pkt_num>5 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q281": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_s2c_pkt_num>5 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q282": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_c2s_byte_num>100 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q283": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_s2c_byte_num<200 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q284": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_schema_type='DNS' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q285": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_establish_latency_ms>200 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q286": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_con_duration_ms>10000 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q287": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q288": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_tcp_client_isn=2857077935 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q289": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_tcp_server_isn=0 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q290": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain='microsoft.com' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q291": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_account='[email protected]' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q292": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_subject='test' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q293": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q294": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_sni='note.youdao.com' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q295": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_con_latency_ms>100 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q296": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q297": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q298": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q299": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND mail_account like 'abc@%' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q300": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain like '%baidu.com%' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q301": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND ssl_sni like '%youdao.com' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q302": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q303": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND common_server_port not in (80,443) ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q304": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND notEmpty(http_domain) ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q305": "SELECT `URL` AS `URL`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT http_url AS `URL`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) AND http_domain not like '%microsoft.com' ) AND ( notEmpty(http_url) ) GROUP BY `URL` LIMIT 1048576) GROUP BY `URL` ORDER BY `Sessions` DESC LIMIT 30",
+ "Q306": "SELECT `Http.Domain` AS `Http.Domain`, sum(coalesce(`Unique Client IP`, 0)) AS `Unique Client IP`, sum(coalesce(`Unique Subscriber ID`, 0)) AS `Unique Subscriber ID` FROM (SELECT http_domain AS `Http.Domain`, uniq(common_client_ip) AS `Unique Client IP`, uniq(common_subscriber_id) AS `Unique Subscriber ID` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( notEmpty(http_domain) ) GROUP BY `Http.Domain` LIMIT 1048576) GROUP BY `Http.Domain` ORDER BY `Unique Client IP` DESC LIMIT 100",
+ "Q307": "SELECT `Http.Domain` AS `Http.Domain`, sum(coalesce(`Packets Sent`, 0)) AS `Packets Sent` FROM (SELECT http_domain AS `Http.Domain`, sum(coalesce(common_c2s_pkt_num, 0)) AS `Packets Sent` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Http.Domain` LIMIT 1048576) GROUP BY `Http.Domain` ORDER BY `Packets Sent` DESC LIMIT 100",
+ "Q308": "SELECT `Internal IP` AS `Internal IP`, `External IP` AS `External IP`, `Sled IP` AS `Sled IP`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT common_sled_ip AS `Sled IP`, common_external_ip AS `External IP`, common_internal_ip AS `Internal IP`, sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS `Bytes Sent+Bytes Received`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY `Sled IP`, `External IP`, `Internal IP` LIMIT 1048576) GROUP BY `Internal IP`, `External IP`, `Sled IP` ORDER BY `Sessions` DESC LIMIT 500",
+ "Q309": "SELECT `Client ASN` AS `Client ASN`, `Server ASN` AS `Server ASN`, sum(coalesce(`Sessions`, 0)) AS `Sessions` FROM (SELECT common_server_asn AS `Server ASN`, common_client_asn AS `Client ASN`, sum(coalesce(common_sessions, 0)) AS `Sessions` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY `Server ASN`, `Client ASN` LIMIT 1048576) GROUP BY `Client ASN`, `Server ASN` ORDER BY `Sessions` DESC LIMIT 500",
+ "Q310": "SELECT `SSL.SNI` AS `SSL.SNI`, `Client IP` AS `Client IP`, avg(coalesce(`Establish Latency(ms)`, 0)) AS `Establish Latency(ms)` FROM (SELECT common_client_ip AS `Client IP`, ssl_sni AS `SSL.SNI`, avg(coalesce(common_establish_latency_ms, 0)) AS `Establish Latency(ms)` FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) ) ) GROUP BY `Client IP`, `SSL.SNI` LIMIT 1048576) GROUP BY `SSL.SNI`, `Client IP` ORDER BY `Establish Latency(ms)` DESC LIMIT 500",
+ "Q311": "select FROM_UNIXTIME(min(common_recv_time)) as `First Seen` , FROM_UNIXTIME(max(common_recv_time)) as `Last Seen` , median(http_response_lantency_ms) as `Server Processing Time Median(ms)`, count(1) as Responses,any(common_server_location) as Location from connection_record_log WHERE common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) AND http_domain='baidu.com'",
+ "Q312": "select common_client_ip as `Client IP` , avg(common_establish_latency_ms) as `Establishing Time Mean(ms)`, count(1) as Responses,any(common_client_location) as Location from connection_record_log where common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) and http_domain='baidu.com' group by `Client IP` order by Responses desc limit 100",
+ "Q313": "select common_server_ip as `Server IP` , avg(http_response_lantency_ms) as `Server Processing Time Mean(ms)`, count(1) as Responses,any(common_server_location) as Location from connection_record_log where common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) and http_domain='baidu.com' group by `Server IP` order by Responses desc limit 100",
+ "Q314": "select http_url as `URI` , avg(http_response_lantency_ms) as `Server Processing Time Mean(ms)`, count(1) as Responses from connection_record_log where common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) and http_domain='baidu.com' group by `URI` order by Responses desc limit 100",
+ "Q315": "select common_l7_protocol as `Protocol` , uniq(common_client_ip) as `Clients` , uniq(common_server_ip) as `Servers`, count(1) as Sessions,sum(common_c2s_byte_num+common_s2c_byte_num) as bytes from connection_record_log where common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) and notEmpty(common_l7_protocol) group by common_l7_protocol order by bytes desc",
+ "Q316": "select common_client_ip as `Client IP` , count(1) as Sessions,sum(common_c2s_byte_num) as `Bytes Out`, sum(common_s2c_byte_num) as `Bytes In`,any(common_client_location) as Location from connection_record_log where common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) and common_l7_protocol='SIP' group by `Client IP` order by Sessions desc limit 100",
+ "Q317": "select common_server_ip as `Server IP` , count(1) as Sessions,sum(common_c2s_byte_num) as `Bytes Out`, sum(common_s2c_byte_num) as `Bytes In`,any(common_server_location) as Location from connection_record_log where common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2) and common_l7_protocol='SIP' group by `Server IP` order by Sessions desc limit 100"
+} \ No newline at end of file
diff --git a/temp.py b/temp.py
new file mode 100644
index 0000000..2c0131a
--- /dev/null
+++ b/temp.py
@@ -0,0 +1,83 @@
+import json
+
+def txt_to_json():
+ with open("./src/poc-ch.txt",'r') as file:
+ content = file.readlines()
+ i = 1
+ all = {}
+ for line in content:
+ all['Q'+ str(i)] = line
+ i += 1
+
+ with open("poc-ch.json",'w') as file:
+ content = json.dumps(all)
+ file.write(content)
+
+
+
+def change_sql(origin_sql):
+ changed_sql = origin_sql.replace('toUnixTimestamp($time1)','to_unixtime(timestamp $time1)')
+ changed_sql = changed_sql.replace('toUnixTimestamp($time2)','to_unixtime(timestamp $time2)')
+ changed_sql = changed_sql.replace('toDateTime(common_recv_time) AS common_recv_time',"from_unixtime(common_recv_time,'UTC+8')")
+ changed_sql = changed_sql.replace("notEmpty(http_url)","length(http_url)!= 0")
+ changed_sql = changed_sql.replace("notEmpty(http_domain)","length(http_domain)!= 0")
+ changed_sql = changed_sql.replace("notEmpty(common_l7_protocol)","length(common_l7_protocol)!= 0")
+ changed_sql = changed_sql.replace("notEmpty(common_server_ip)","length(common_server_ip)!= 0")
+ changed_sql = changed_sql.replace("notEmpty(http_domain)","length(http_domain)!= 0")
+ changed_sql = changed_sql.replace("notEmpty(common_subscriber_id)","length(common_subscriber_id)!= 0")
+ #changed_sql = changed_sql.replace("toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE)))","floor(common_recv_time/300) * 300")
+ changed_sql = changed_sql.replace("toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE)))","cast(common_recv_time/300 as int) * 300")
+ changed_sql = changed_sql.replace("`","\"")
+ changed_sql = changed_sql.replace("toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),300)*300)","from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8')")
+ changed_sql = changed_sql.replace("toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),3600)*3600)","from_unixtime(cast(common_recv_time/3600 as int) * 3600,'UTC+8')")
+ changed_sql = changed_sql.replace("ORDER BY toDateTime(common_recv_time)","ORDER BY common_recv_time")
+ changed_sql = changed_sql.replace("common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2)","common_recv_time >= to_unixtime(timestamp $time1) AND common_recv_time < to_unixtime(timestamp $time2)")
+ changed_sql = changed_sql.replace("toDateTime(toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 30 SECOND))))","from_unixtime(cast(common_recv_time/30 as int) * 30,'UTC+8')")
+ changed_sql = changed_sql.replace("toDateTime(cast(common_recv_time/300 as int) * 300)","from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8')")
+ changed_sql = changed_sql.replace("toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 3600)*3600)","from_unixtime(cast(common_recv_time/3600 as int) * 3600,'UTC+8')")
+ changed_sql = changed_sql.replace("toDateTime(common_recv_time)","from_unixtime(common_recv_time,'UTC+8')")
+ changed_sql = changed_sql.replace("toDateTime($time2)","to_unixtime(timestamp $time2)")
+ changed_sql = changed_sql.replace("toDateTime($time1)","to_unixtime(timestamp $time1)")
+ changed_sql = changed_sql.replace("uniq(","approx_distinct(")
+ changed_sql = changed_sql.replace("group by \"URI\"","group by http_url")
+ changed_sql = changed_sql.replace("GROUP BY \"URL\" LIMIT 1048576","GROUP BY http_url LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Http URL\" LIMIT 1048576","GROUP BY http_url LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Domain\" LIMIT 1048576","GROUP BY http_domain LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Http.Domain\" LIMIT 1048576","GROUP BY http_domain LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY stat_time ORDER BY","GROUP BY from_unixtime(cast(common_recv_time/30 as int) * 30,'UTC+8') ORDER BY")
+ changed_sql = changed_sql.replace("GROUP BY \"Server Port\" LIMIT 1048576","GROUP BY common_server_port LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY stat_time","GROUP BY from_unixtime(cast(common_recv_time/300 as int) * 300,'UTC+8')")
+ changed_sql = changed_sql.replace("GROUP BY \"Client IP\", \"SSL.SNI\" LIMIT 1048576","GROUP BY common_client_ip, ssl_sni LIMIT 1048576")
+ #changed_sql = changed_sql.replace("GROUP BY stat_time ORDER BY stat_time ASC LIMIT 10000","GROUP BY from_unixtime(cast(common_recv_time/30 as int) * 30,'UTC+8') ORDER BY stat_time ASC LIMIT 10000")
+ changed_sql = changed_sql.replace("GROUP BY \"Sled IP\", \"Internal IP\" LIMIT 1048576","GROUP BY common_sled_ip, common_internal_ip LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Server ASN\", \"Client ASN\" LIMIT 1048576","GROUP BY common_server_asn, common_client_asn LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"device_id\" ORDER BY \"Bytes\" DESC LIMIT 1048576","GROUP BY common_device_id ORDER BY \"Bytes\" DESC LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Http.Domain\" ORDER BY \"Client IP\" DESC LIMIT 1048576","GROUP BY http_domain ORDER BY \"Client IP\" DESC LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Sled IP\", \"External IP\", \"Internal IP\" LIMIT 1048576","GROUP BY common_sled_ip, common_external_ip ,common_internal_ip LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Http.Domain\", \"Subscriber ID\" ORDER BY \"Sessions\" DESC LIMIT 1048576","GROUP BY http_domain, common_subscriber_id ORDER BY \"Sessions\" DESC LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"source\" ORDER BY \"Sessions\" DESC LIMIT 1048576)","GROUP BY coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576)")
+ changed_sql = changed_sql.replace("GROUP BY \"destination\" ORDER BY \"Sessions\" DESC LIMIT 1048576)","GROUP BY coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576)")
+ changed_sql = changed_sql.replace("GROUP BY \"server_ip\" ORDER BY \"Bytes\" desc )","GROUP BY common_server_ip ORDER BY \"Bytes\" desc )")
+ changed_sql = changed_sql.replace("LIMIT 0,30","LIMIT 30")
+ changed_sql = changed_sql.replace("GROUP BY \"domain\" ORDER BY \"Bytes\" desc","GROUP BY http_domain ORDER BY \"Bytes\" desc")
+ changed_sql = changed_sql.replace("GROUP BY \"Server IP\" , \"Http.Domain\" ORDER BY \"Bytes\" desc LIMIT 1048576","GROUP BY common_server_ip , http_domain ORDER BY \"Bytes\" desc LIMIT 1048576")
+ changed_sql = changed_sql.replace("GROUP BY \"Client IP\", \"Http.Domain\" ORDER BY \"Sessions\" DESC LIMIT 1048576)","GROUP BY common_client_ip, http_domain ORDER BY \"Sessions\" DESC LIMIT 1048576)")
+ changed_sql = changed_sql.replace("GROUP BY \"Receive Time\", \"Device ID\" LIMIT 10000","GROUP BY cast(common_recv_time/300 as int) * 300,common_device_id LIMIT 10000")
+ changed_sql = changed_sql.replace("GROUP BY \"Receive Time\"","GROUP BY cast(common_recv_time/300 as int) * 300")
+
+ #changed_sql = changed_sql.replace("","")
+
+ return changed_sql
+
+def ch_to_ol():
+ with open("./src/poc-ch.json","r") as file:
+ content = file.read()
+ all = json.loads(content)
+ olsql = {}
+ for k,v in all.items():
+ olsql[k] = change_sql(v)
+
+ with open("./src/auto-ol.json","w") as file:
+ file.write(json.dumps(olsql))
+
+ch_to_ol() \ No newline at end of file
diff --git a/whl/clickhouse_driver-0.1.2-cp27-cp27m-manylinux1_x86_64.whl b/whl/clickhouse_driver-0.1.2-cp27-cp27m-manylinux1_x86_64.whl
new file mode 100644
index 0000000..793dcd5
--- /dev/null
+++ b/whl/clickhouse_driver-0.1.2-cp27-cp27m-manylinux1_x86_64.whl
Binary files differ
diff --git a/whl/clickhouse_driver-0.1.2-cp27-cp27mu-manylinux1_x86_64.whl b/whl/clickhouse_driver-0.1.2-cp27-cp27mu-manylinux1_x86_64.whl
new file mode 100644
index 0000000..78dca98
--- /dev/null
+++ b/whl/clickhouse_driver-0.1.2-cp27-cp27mu-manylinux1_x86_64.whl
Binary files differ
diff --git a/whl/clickhouse_driver-0.2.1-cp35-cp35m-manylinux1_x86_64.whl b/whl/clickhouse_driver-0.2.1-cp35-cp35m-manylinux1_x86_64.whl
new file mode 100644
index 0000000..d931120
--- /dev/null
+++ b/whl/clickhouse_driver-0.2.1-cp35-cp35m-manylinux1_x86_64.whl
Binary files differ
diff --git a/whl/requests_toolbelt-0.9.1-py2.py3-none-any.whl b/whl/requests_toolbelt-0.9.1-py2.py3-none-any.whl
new file mode 100644
index 0000000..4de61e1
--- /dev/null
+++ b/whl/requests_toolbelt-0.9.1-py2.py3-none-any.whl
Binary files differ
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 18:51:10 +0000