8 files changed, 503 insertions, 32 deletions

diff --git a/.gitignore b/.gitignore
index 3af7e9f..503f89b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 *.log
 *.tgz
 __pycache__
-*.tar
\ No newline at end of file
+*.tar
+.DS_Store
\ No newline at end of file
diff --git a/run.sh b/run.sh
index 3b5963f..c579621 100644
--- a/run.sh
+++ b/run.sh
@@ -47,7 +47,6 @@ ch_test_docker(){
     collect_use_info
     echo "running ClickHouse test" 
     docker exec -it poc python ./src/run.py ch /usr/src/app/
-    echo 1
     #docker run --rm -v $(pwd):/usr/src/app --name poc poc_jph:latest python ./src/run.py ch /usr/src/app/
 
 }
@@ -56,10 +55,14 @@ ol_test_docker(){
     collect_use_info
     echo "running OpenLookeng test" 
     docker exec -it poc python ./src/run.py ol /usr/src/app/
-    echo 1
     #docker run --rm -v $(pwd):/usr/src/app --name poc poc_jph:latest ./src/run.py ol /usr/src/app/
 }
 
+ol_expain_docker(){
+    echo "running Explaining test" 
+    docker exec -it poc python ./src/run.py explain /usr/src/app/
+}
+
 clear_log() {
     rm -rf ./log/*
     rm -rf ./src/__pycache__
@@ -70,7 +73,7 @@ start() {
     collect_info
     for i in {1,2,3}
     do
-        ch_test
+        #ch_test
         ol_test
     done
     echo "finish poc test"
@@ -86,6 +89,7 @@ docker_start() {
         ch_test_docker
         ol_test_docker
     done
+    ol_expain_docker
     tar -zcvf log.tgz ./log
     docker-compose down
     echo "finish poc test"
@@ -101,5 +105,16 @@ temp_test() {
     docker exec -it poc python ./src/run.py ol /usr/src/app/
     docker-compose down
 }
-#temp_test
+
+
+explain_start() {
+    docker-compose up -d
+    clear_log
+    collect_info
+    ol_expain_docker
+    tar -zcvf log.tgz ./log
+    docker-compose down
+    echo FINISH
+}
+
 docker_start
\ No newline at end of file
diff --git a/src/ckdb-ol.json b/src/ckdb-ol.json
new file mode 100755
index 0000000..228ff34
--- /dev/null
+++ b/src/ckdb-ol.json
@@ -0,0 +1,320 @@
+{
+    "pre": "use tsg_galaxy_v3",
+    "Q1": "SELECT count(1) from connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)",
+    "Q2": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) LIMIT 30",
+    "Q3": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q4": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time asc LIMIT 30",
+    "Q5": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q6": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q7": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q8": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q9": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q10": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q11": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q12": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q13": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q14": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q15": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q16": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q17": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q18": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q19": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q20": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q21": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q22": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q23": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account='[email protected]' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q24": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q25": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q26": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q27": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q28": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q29": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q30": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q31": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q32": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q33": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q34": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
+    "Q35": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q36": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q37": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q38": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q39": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q40": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q41": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q42": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q43": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q44": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q45": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q46": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q47": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q48": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q49": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q50": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q51": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q52": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q53": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q54": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q55": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q56": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account='[email protected]' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q57": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q58": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q59": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q60": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q61": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q62": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q63": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q64": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q65": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q66": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q67": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
+    "Q68": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q69": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30",
+    "Q70": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
+    "Q71": "SELECT * FROM connection_record_log AS connection_record_log WHERE ckdb.function.toDateTime(common_recv_time) IN ( SELECT ckdb.function.toDateTime(common_recv_time) FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q72": "SELECT  * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q73": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE ckdb.function.toDateTime(common_recv_time) IN ( SELECT ckdb.function.toDateTime(common_recv_time) FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q74": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( select common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q75": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q76": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q77": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q78": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q79": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q80": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q81": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q82": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q83": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q84": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q85": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q86": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q87": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q88": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q89": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q90": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q91": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q92": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q93": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q94": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q95": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q96": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q97": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q98": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q99": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q100": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q101": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q102": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q103": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q104": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q105": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q106": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q107": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q108": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q109": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q110": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q111": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q112": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q113": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q114": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q115": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q116": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q117": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q118": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q119": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q120": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q121": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q122": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q123": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q124": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q125": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q126": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
+    "Q127": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q128": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q129": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q130": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q131": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q132": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q133": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q134": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q135": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q136": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q137": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q138": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q139": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q140": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q141": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q142": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q143": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q144": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q145": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q146": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q147": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q148": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q149": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q150": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q151": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q152": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q153": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q154": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q155": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q156": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q157": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q158": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q159": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q160": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q161": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q162": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q163": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q164": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q165": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q166": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q167": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q168": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q169": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q170": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q171": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q172": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q173": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q174": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q175": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q176": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q177": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q178": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
+    "Q179": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", count(common_log_id) AS \"logs\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q180": "SELECT ckdb.function.toDateTime(cast(common_recv_time/30 as int) * 30) AS stat_time, sum(common_c2s_byte_num) AS bytes_sent, sum(common_s2c_byte_num) AS bytes_received, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/30 as int) * 30) ORDER BY stat_time ASC LIMIT 10000",
+    "Q181": "SELECT ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) AS stat_time, common_schema_type AS type, sum(common_sessions) AS sessions, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300), common_schema_type ORDER BY stat_time ASC LIMIT 10000",
+    "Q182": "SELECT round(sum(common_s2c_byte_num) * 8 / 300,2) AS trafficInBits, round(sum(common_c2s_byte_num) * 8 / 300,2) AS trafficOutBits, round(sum(common_s2c_byte_num + common_c2s_byte_num) * 8 / 300,2) AS trafficTotalBits, round(sum(common_s2c_pkt_num) / 300,2) AS trafficInPackets, round(sum(common_c2s_pkt_num) / 300,2) AS trafficOutPackets, round(sum(common_s2c_pkt_num + common_c2s_pkt_num) / 300,2) AS trafficTotalPackets, round(sum(common_sessions) / 300,2) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)",
+    "Q183": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", approx_distinct(common_internal_ip) AS \"Unique Internal IP\", approx_distinct(common_external_ip) AS \"Unique External IP\", approx_distinct(common_subscriber_id) AS \"Unique Subscriber ID\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q184": "SELECT 'all' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) UNION ALL SELECT 'tcp' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) UNION ALL SELECT 'UDP' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_l4_protocol IN ( 'IPv4_UDP', 'IPv6_UDP' )",
+    "Q185": "SELECT ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) AS stat_time, (CASE WHEN common_stream_dir = 1 THEN 'c2s' WHEN common_stream_dir = 2 THEN 's2c' WHEN common_stream_dir = 3 THEN 'double' ELSE 'None' END) AS type, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300), common_stream_dir ORDER BY stat_time ASC LIMIT 10000",
+    "Q186": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(common_sessions) AS \"Sessions\", sum(if(common_stream_dir <> 3, common_sessions, 0)) AS \"one_side_sessions\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", round(one_side_sessions / sessions, 2) AS one_side_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q187": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(common_c2s_byte_num + common_s2c_byte_num) AS \"Bytes\", sum(common_c2s_tcp_lostlen + common_s2c_tcp_lostlen) AS \"gap_loss_bytes\", round(gap_loss_bytes / bytes, 2) AS gap_loss_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q188": "SELECT \"server_ip\" AS \"server_ip\" , SUM(coalesce(\"Bytes\",0)) AS \"Bytes\" , SUM(coalesce(\"bytes_sent\",0)) AS \"Sent\" , SUM(coalesce(\"bytes_received\",0)) AS \"Received\" , SUM(coalesce(\"Sessions\",0)) AS \"Sessions\" FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS \"bytes_sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"bytes_received\" , SUM(common_c2s_byte_num+common_s2c_byte_num) AS \"Bytes\" , SUM(coalesce(common_sessions,0)) AS \"Sessions\" , common_server_ip AS \"server_ip\" FROM connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(common_server_ip)!= 0 ) GROUP BY common_server_ip ORDER BY \"Bytes\" desc ) GROUP BY \"server_ip\" ORDER BY \"Bytes\" desc LIMIT 30",
+    "Q189": "SELECT common_client_ip , COUNT(*) AS sessions FROM connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY common_client_ip ORDER BY sessions desc LIMIT 30",
+    "Q190": "SELECT \"Server Port\" AS \"Server Port\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_server_port AS \"Server Port\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY common_server_port LIMIT 1048576) GROUP BY \"Server Port\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q191": "SELECT \"domain\" AS \"Website Domain\" , SUM(coalesce(\"Bytes\",0)) AS \"Throughput\" FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS \"bytes_sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"bytes_received\" , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS \"Bytes\" , http_domain AS \"domain\" FROM connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain ORDER BY \"Bytes\" desc ) GROUP BY \"domain\" ORDER BY \"Throughput\" desc LIMIT 30",
+    "Q192": "SELECT \"device_id\" AS \"device_id\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(common_c2s_byte_num + common_s2c_byte_num) AS Bytes, common_device_id AS \"device_id\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY common_device_id ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"device_id\" ORDER BY \"Bytes\" DESC LIMIT 30",
+    "Q193": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Client IP\", 0)) AS \"Client IP\" FROM (SELECT http_domain AS \"Http.Domain\", approx_distinct(common_client_ip) AS \"Client IP\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain ORDER BY \"Client IP\" DESC LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Client IP\" DESC LIMIT 30",
+    "Q194": "SELECT \"Domain\" AS \"Domain\", avg(coalesce(\"Avg Establish Latency(ms)\", 0)) AS \"Avg Establish Latency(ms)\" FROM (SELECT http_domain AS \"Domain\", avg(coalesce(common_establish_latency_ms, 0)) AS \"Avg Establish Latency(ms)\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Avg Establish Latency(ms)\" DESC LIMIT 100",
+    "Q195": "SELECT \"source\" AS \"source\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) AS \"source\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"source\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q196": "SELECT \"destination\" AS \"destination\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) AS \"destination\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"destination\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q197": "SELECT \"server_location\" AS \"server_location\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT arrayElement(splitByString(',', common_server_location), length(splitByString(',', common_server_location))) AS \"server_location\", sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY \"server_location\" ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"server_location\" ORDER BY \"Bytes\" DESC LIMIT 30",
+    "Q198": "SELECT \"Http URL\" AS \"Http URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"Http URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY http_url LIMIT 1048576) GROUP BY \"Http URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q199": "SELECT \"server_ip\" AS \"server_ip\", groupUniqArray(coalesce(\"trans_app\", 0)) AS \"trans_app\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(common_c2s_byte_num + common_s2c_byte_num) AS \"Bytes\", groupUniqArray(concat(common_l4_protocol, '/', toString(common_server_port))) AS \"trans_app\", common_server_ip AS \"server_ip\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(common_server_ip)!= 0 ) GROUP BY \"server_ip\" ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"server_ip\" ORDER BY \"Bytes\" DESC LIMIT 30",
+    "Q200": "SELECT \"Subscriber ID\" AS \"Subscriber ID\", \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Http.Domain\", common_subscriber_id AS \"Subscriber ID\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 AND length(common_subscriber_id)!= 0 ) GROUP BY http_domain, common_subscriber_id ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"Subscriber ID\", \"Http.Domain\" ORDER BY \"Sessions\" DESC LIMIT 10000",
+    "Q201": "SELECT \"Http.Domain\" AS \"Http.Domain\" , \"Server IP\" AS \"Server IP\" , SUM(coalesce(\"Bytes Sent\",0)) AS \"Bytes Sent\" FROM ( SELECT common_server_ip AS \"Server IP\" , http_domain AS \"Http.Domain\" , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS \"Bytes\" , SUM(coalesce(common_c2s_byte_num,0)) AS \"Bytes Sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"Bytes Received\" FROM connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY common_server_ip , http_domain ORDER BY \"Bytes\" desc LIMIT 1048576 ) GROUP BY \"Http.Domain\" , \"Server IP\" ORDER BY \"Bytes Sent\" desc LIMIT 10000",
+    "Q202": "SELECT \"Http.Domain\" AS \"Http.Domain\", \"Client IP\" AS \"Client IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_client_ip AS \"Client IP\", http_domain AS \"Http.Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY common_client_ip, http_domain ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"Http.Domain\", \"Client IP\" ORDER BY \"Sessions\" DESC LIMIT 10000",
+    "Q203": "SELECT ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) AS _time , http_domain AS Domain, COUNT(DISTINCT(common_client_ip)) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 GROUP BY http_domain ORDER BY SUM(common_s2c_byte_num+common_c2s_byte_num) DESC LIMIT 5 ) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) , http_domain ORDER BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) DESC LIMIT 10000",
+    "Q204": "SELECT ckdb.function.toDateTime(cast(common_recv_time/3600 as int) * 3600) AS stat_time , http_domain , approx_distinct(common_client_ip) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1)-604800 AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 GROUP BY http_domain ORDER BY COUNT(*) desc LIMIT 5 ) group by ckdb.function.toDateTime(cast(common_recv_time/3600 as int) * 3600), http_domain ORDER BY stat_time desc LIMIT 10000",
+    "Q205": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", common_device_id AS \"Device ID\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300,common_device_id LIMIT 10000",
+    "Q206": "SELECT \"Internal IP\" AS \"Internal IP\", \"Sled IP\" AS \"Sled IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_sled_ip AS \"Sled IP\", common_internal_ip AS \"Internal IP\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY common_sled_ip, common_internal_ip LIMIT 1048576) GROUP BY \"Internal IP\", \"Sled IP\" ORDER BY \"Sessions\" DESC LIMIT 10000",
+    "Q207": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_log_id=1153021139190754263 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q208": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q209": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_internal_ip='223.116.37.192' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q210": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='8.8.8.8' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q211": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_external_ip='111.10.53.14' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q212": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_port=52607 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q213": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port=443 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q214": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_pkt_num>5 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q215": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_pkt_num>5 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q216": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_byte_num>100 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q217": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_byte_num<200 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q218": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_schema_type='DNS' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q219": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_establish_latency_ms>200 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q220": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_con_duration_ms>10000 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q221": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_stream_trace_id=1153021139190754263 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q222": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_client_isn=2857077935 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q223": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_server_isn=0 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q224": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain='microsoft.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q225": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account='[email protected]' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q226": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_subject='test' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q227": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q228": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni='note.youdao.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q229": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_con_latency_ms>100 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q230": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q231": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q232": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q233": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account like 'abc@%' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q234": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain like '%baidu.com%' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q235": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni like '%youdao.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q236": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q237": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port not in (80,443) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q238": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND length(http_domain)!= 0 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q239": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain not like '%microsoft.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
+    "Q240": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_log_id=1153021139190754263 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q241": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q242": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_internal_ip='223.116.37.192' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q243": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='8.8.8.8' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q244": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_external_ip='111.10.53.14' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q245": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_port=52607 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q246": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port=443 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q247": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_pkt_num>5 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q248": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_pkt_num>5 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q249": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_byte_num>100 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q250": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_byte_num<200 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q251": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_schema_type='DNS' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q252": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_establish_latency_ms>200 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q253": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_con_duration_ms>10000 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q254": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q255": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_client_isn=2857077935 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q256": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_server_isn=0 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q257": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain='microsoft.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q258": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account='[email protected]' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q259": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_subject='test' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q260": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q261": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni='note.youdao.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q262": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_con_latency_ms>100 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q263": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q264": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q265": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q266": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account like 'abc@%' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q267": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain like '%baidu.com%' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q268": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni like '%youdao.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q269": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q270": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port not in (80,443) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q271": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND length(http_domain)!= 0 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q272": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain not like '%microsoft.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q273": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_log_id=1153021139190754263 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q274": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q275": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_internal_ip='223.116.37.192' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q276": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='8.8.8.8' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q277": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_external_ip='111.10.53.14' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q278": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_port=52607 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q279": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port=443 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q280": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_pkt_num>5 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q281": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_pkt_num>5 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q282": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_byte_num>100 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q283": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_byte_num<200 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q284": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_schema_type='DNS' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q285": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_establish_latency_ms>200 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q286": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_con_duration_ms>10000 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q287": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q288": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_client_isn=2857077935 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q289": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_server_isn=0 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q290": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain='microsoft.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q291": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account='[email protected]' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q292": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_subject='test' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q293": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q294": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni='note.youdao.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q295": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_con_latency_ms>100 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q296": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q297": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q298": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q299": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account like 'abc@%' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q300": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain like '%baidu.com%' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q301": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni like '%youdao.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q302": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q303": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port not in (80,443) ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q304": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND length(http_domain)!= 0 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q305": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain not like '%microsoft.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
+    "Q306": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Unique Client IP\", 0)) AS \"Unique Client IP\", sum(coalesce(\"Unique Subscriber ID\", 0)) AS \"Unique Subscriber ID\" FROM (SELECT http_domain AS \"Http.Domain\", approx_distinct(common_client_ip) AS \"Unique Client IP\", approx_distinct(common_subscriber_id) AS \"Unique Subscriber ID\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Unique Client IP\" DESC LIMIT 100",
+    "Q307": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Packets Sent\", 0)) AS \"Packets Sent\" FROM (SELECT http_domain AS \"Http.Domain\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Packets Sent\" DESC LIMIT 100",
+    "Q308": "SELECT \"Internal IP\" AS \"Internal IP\", \"External IP\" AS \"External IP\", \"Sled IP\" AS \"Sled IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_sled_ip AS \"Sled IP\", common_external_ip AS \"External IP\", common_internal_ip AS \"Internal IP\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes Sent+Bytes Received\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY common_sled_ip, common_external_ip ,common_internal_ip LIMIT 1048576) GROUP BY \"Internal IP\", \"External IP\", \"Sled IP\" ORDER BY \"Sessions\" DESC LIMIT 500",
+    "Q309": "SELECT \"Client ASN\" AS \"Client ASN\", \"Server ASN\" AS \"Server ASN\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_server_asn AS \"Server ASN\", common_client_asn AS \"Client ASN\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY common_server_asn, common_client_asn LIMIT 1048576) GROUP BY \"Client ASN\", \"Server ASN\" ORDER BY \"Sessions\" DESC LIMIT 500",
+    "Q310": "SELECT \"SSL.SNI\" AS \"SSL.SNI\", \"Client IP\" AS \"Client IP\", avg(coalesce(\"Establish Latency(ms)\", 0)) AS \"Establish Latency(ms)\" FROM (SELECT common_client_ip AS \"Client IP\", ssl_sni AS \"SSL.SNI\", avg(coalesce(common_establish_latency_ms, 0)) AS \"Establish Latency(ms)\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY common_client_ip, ssl_sni LIMIT 1048576) GROUP BY \"SSL.SNI\", \"Client IP\" ORDER BY \"Establish Latency(ms)\" DESC LIMIT 500",
+    "Q311": "select  FROM_UNIXTIME(min(common_recv_time)) as \"First Seen\" , FROM_UNIXTIME(max(common_recv_time)) as \"Last Seen\" ,  median(http_response_lantency_ms) as \"Server Processing Time Median(ms)\", count(1) as Responses,any(common_server_location)  as Location from connection_record_log WHERE  common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)  AND  http_domain='baidu.com'",
+    "Q312": "select common_client_ip as \"Client IP\" , avg(common_establish_latency_ms) as \"Establishing Time Mean(ms)\", count(1) as Responses,any(common_client_location) as Location from connection_record_log where  common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)  and http_domain='baidu.com' group by \"Client IP\" order by Responses desc limit 100",
+    "Q313": "select common_server_ip as \"Server IP\" , avg(http_response_lantency_ms) as \"Server Processing Time Mean(ms)\", count(1) as Responses,any(common_server_location) as Location from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and http_domain='baidu.com' group by \"Server IP\" order by Responses desc limit 100",
+    "Q314": "select http_url as \"URI\" , avg(http_response_lantency_ms) as \"Server Processing Time Mean(ms)\", count(1) as Responses from connection_record_log where  common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and http_domain='baidu.com' group by http_url order by Responses desc limit 100",
+    "Q315": "select  common_l7_protocol as \"Protocol\" , approx_distinct(common_client_ip) as \"Clients\" , approx_distinct(common_server_ip) as \"Servers\", count(1) as Sessions,sum(common_c2s_byte_num+common_s2c_byte_num)  as bytes from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and length(common_l7_protocol)!= 0  group by common_l7_protocol  order by bytes desc",
+    "Q316": "select common_client_ip as \"Client IP\" , count(1) as Sessions,sum(common_c2s_byte_num) as \"Bytes Out\", sum(common_s2c_byte_num) as \"Bytes In\",any(common_client_location) as Location from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and common_l7_protocol='SIP' group by \"Client IP\" order by Sessions desc limit 100",
+    "Q317": "select common_server_ip as \"Server IP\" , count(1) as Sessions,sum(common_c2s_byte_num) as \"Bytes Out\", sum(common_s2c_byte_num) as \"Bytes In\",any(common_server_location) as Location from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and common_l7_protocol='SIP' group by \"Server IP\" order by Sessions desc limit 100"
+}
\ No newline at end of file
diff --git a/src/config b/src/config
index b48f386..df26b48 100644
--- a/src/config
+++ b/src/config
@@ -1,29 +1,36 @@
 
-[clickhouse-local]
+[clickhouse]
 host = 192.168.40.223
 port = 9001
 user = default
 password = 111111
 
-[openlookeng-local]
+[openlookeng]
 host = 192.168.40.152
 port = 18080
 user = olk
 catalog = clickhouse223
 schema = tsg_galaxy_v3
 
-[clickhouse]
+
+[clickhouse-xj]
 host = 10.111.200.170
 port = 9001
 user = default
 password = ceiec2019
 
 
+[clickhouse-yd]
+host = 10.111.136.110
+port = 9001
+user = default
+password = ceiec2019
+
 [openlookeng]
 host = 	10.111.201.1
 port = 8090
 user = olk
-catalog = clickhouselt
+catalog = clickhouseyd
 schema = tsg_galaxy_v3
 
 [run]
diff --git a/src/convert_sql.py b/src/convert_sql.py
index e730642..dc61ccb 100644
--- a/src/convert_sql.py
+++ b/src/convert_sql.py
@@ -18,6 +18,64 @@ def txt_to_json():
 
 
 
+def change_sql_ckdb(origin_sql):
+
+    changed_sql = origin_sql.replace('toUnixTimestamp($time1)','ckdb.function.toUnixTimestamp($time1)')
+    changed_sql = changed_sql.replace('toUnixTimestamp($time2)','ckdb.function.toUnixTimestamp($time2)')
+    changed_sql = changed_sql.replace('toDateTime(common_recv_time) AS common_recv_time',"ckdb.function.toDateTime(common_recv_time)")
+    changed_sql = changed_sql.replace("notEmpty(http_url)","length(http_url)!= 0")
+    changed_sql = changed_sql.replace("notEmpty(http_domain)","length(http_domain)!= 0")
+    changed_sql = changed_sql.replace("notEmpty(common_l7_protocol)","length(common_l7_protocol)!= 0")
+    changed_sql = changed_sql.replace("notEmpty(common_server_ip)","length(common_server_ip)!= 0")
+    changed_sql = changed_sql.replace("notEmpty(http_domain)","length(http_domain)!= 0")
+    changed_sql = changed_sql.replace("notEmpty(common_subscriber_id)","length(common_subscriber_id)!= 0")
+    #changed_sql = changed_sql.replace("toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE)))","floor(common_recv_time/300) * 300")
+    changed_sql = changed_sql.replace("toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 5 MINUTE)))","cast(common_recv_time/300 as int) * 300")
+    changed_sql = changed_sql.replace("`","\"")
+    changed_sql = changed_sql.replace("toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),300)*300)","ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300)")
+    changed_sql = changed_sql.replace("toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))),3600)*3600)","ckdb.function.toDateTime(cast(common_recv_time/3600 as int) * 3600)")
+    changed_sql = changed_sql.replace("ORDER BY toDateTime(common_recv_time)","ORDER BY common_recv_time")
+    changed_sql = changed_sql.replace("common_recv_time >= toDateTime($time1) AND common_recv_time < toDateTime($time2)","common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)")
+    changed_sql = changed_sql.replace("toDateTime(toUnixTimestamp(toDateTime(toStartOfInterval(toDateTime(common_recv_time),INTERVAL 30 SECOND))))","ckdb.function.toDateTime(cast(common_recv_time/30 as int) * 30)")
+    changed_sql = changed_sql.replace("toDateTime(cast(common_recv_time/300 as int) * 300)","ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300)")
+    changed_sql = changed_sql.replace("toDateTime(intDiv(toUInt32(toDateTime(toDateTime(common_recv_time))), 3600)*3600)","ckdb.function.toDateTime(cast(common_recv_time/3600 as int) * 3600)")
+    changed_sql = changed_sql.replace("toDateTime(common_recv_time)","ckdb.function.toDateTime(common_recv_time)")
+    changed_sql = changed_sql.replace("toDateTime($time2)","ckdb.function.toUnixTimestamp($time2)")
+    changed_sql = changed_sql.replace("toDateTime($time1)","ckdb.function.toUnixTimestamp($time1)")
+    changed_sql = changed_sql.replace("uniq(","approx_distinct(")
+    changed_sql = changed_sql.replace("group by \"URI\"","group by http_url")
+    changed_sql = changed_sql.replace("GROUP BY \"URL\" LIMIT 1048576","GROUP BY http_url LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Http URL\" LIMIT 1048576","GROUP BY http_url LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Domain\" LIMIT 1048576","GROUP BY http_domain LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Http.Domain\" LIMIT 1048576","GROUP BY http_domain LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY stat_time ORDER BY","GROUP BY ckdb.function.toDateTime(cast(common_recv_time/30 as int) * 30) ORDER BY")
+    changed_sql = changed_sql.replace("GROUP BY \"Server Port\" LIMIT 1048576","GROUP BY common_server_port LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY stat_time","GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300)")
+    changed_sql = changed_sql.replace("GROUP BY \"Client IP\", \"SSL.SNI\" LIMIT 1048576","GROUP BY common_client_ip, ssl_sni LIMIT 1048576")
+    #changed_sql = changed_sql.replace("GROUP BY stat_time ORDER BY stat_time ASC LIMIT 10000","GROUP BY from_unixtime(cast(common_recv_time/30 as int) * 30,'UTC+8') ORDER BY stat_time ASC LIMIT 10000")
+    changed_sql = changed_sql.replace("GROUP BY \"Sled IP\", \"Internal IP\" LIMIT 1048576","GROUP BY common_sled_ip, common_internal_ip LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Server ASN\", \"Client ASN\" LIMIT 1048576","GROUP BY common_server_asn, common_client_asn LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"device_id\" ORDER BY \"Bytes\" DESC LIMIT 1048576","GROUP BY common_device_id ORDER BY \"Bytes\" DESC LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Http.Domain\" ORDER BY \"Client IP\" DESC LIMIT 1048576","GROUP BY http_domain ORDER BY \"Client IP\" DESC LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Sled IP\", \"External IP\", \"Internal IP\" LIMIT 1048576","GROUP BY common_sled_ip, common_external_ip ,common_internal_ip LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Http.Domain\", \"Subscriber ID\" ORDER BY \"Sessions\" DESC LIMIT 1048576","GROUP BY http_domain, common_subscriber_id ORDER BY \"Sessions\" DESC LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"source\" ORDER BY \"Sessions\" DESC LIMIT 1048576)","GROUP BY coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576)")
+    changed_sql = changed_sql.replace("GROUP BY \"destination\" ORDER BY \"Sessions\" DESC LIMIT 1048576)","GROUP BY coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576)")
+    changed_sql = changed_sql.replace("GROUP BY \"server_ip\" ORDER BY \"Bytes\" desc )","GROUP BY common_server_ip ORDER BY \"Bytes\" desc )")
+    changed_sql = changed_sql.replace("LIMIT 0,30","LIMIT 30")
+    changed_sql = changed_sql.replace("GROUP BY \"domain\" ORDER BY \"Bytes\" desc","GROUP BY http_domain ORDER BY \"Bytes\" desc")
+    changed_sql = changed_sql.replace("GROUP BY \"Server IP\" , \"Http.Domain\" ORDER BY \"Bytes\" desc LIMIT 1048576","GROUP BY common_server_ip , http_domain ORDER BY \"Bytes\" desc LIMIT 1048576")
+    changed_sql = changed_sql.replace("GROUP BY \"Client IP\", \"Http.Domain\" ORDER BY \"Sessions\" DESC LIMIT 1048576)","GROUP BY common_client_ip, http_domain ORDER BY \"Sessions\" DESC LIMIT 1048576)")
+    changed_sql = changed_sql.replace("GROUP BY \"Receive Time\", \"Device ID\" LIMIT 10000","GROUP BY cast(common_recv_time/300 as int) * 300,common_device_id LIMIT 10000")
+    changed_sql = changed_sql.replace("GROUP BY \"Receive Time\"","GROUP BY cast(common_recv_time/300 as int) * 300")
+
+    #changed_sql = changed_sql.replace("","")
+
+    return changed_sql
+
+    return changed_sql
+
+
 def change_sql(origin_sql):
     changed_sql = origin_sql.replace('toUnixTimestamp($time1)','to_unixtime(timestamp $time1)')
     changed_sql = changed_sql.replace('toUnixTimestamp($time2)','to_unixtime(timestamp $time2)')
@@ -78,9 +136,9 @@ def ch_to_ol():
         all = json.loads(content)
     olsql = {}
     for k,v in all.items():
-        olsql[k] = change_sql(v)
+        olsql[k] = change_sql_ckdb(v)
 
-    with open("./auto-ol.json","w") as file:
+    with open("./ckdb-ol.json","w") as file:
         file.write(json.dumps(olsql))
 
 ch_to_ol()
\ No newline at end of file
diff --git a/src/openlookeng_driver.py b/src/openlookeng_driver.py
index 67d2f6f..21da193 100644
--- a/src/openlookeng_driver.py
+++ b/src/openlookeng_driver.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 import requests,json,time,math,re,logging
+from datetime import datetime
 from requests_toolbelt import MultipartEncoder
 
 class Result:
@@ -125,19 +126,21 @@ class WebResult:
             timeout = 5
         else:
             timeout = int(timeout)
-        use_time = 0
+        elapsed = 0
+        started_at = datetime.now()
         interval = 0.5
         while True:
             result = self.__get_result_immediately()
             if result is not None:
                 self.result = result
                 return result
-            if use_time > timeout:
+            if elapsed > timeout:
                 break
-            use_time += interval
+            now = datetime.now()
+            elapsed = (now - started_at).total_seconds()
             time.sleep(interval)
-            interval = math.ceil(use_time/10)
-        raise Exception("Timeout {} > {}".format(use_time,timeout))
+            interval = math.ceil(elapsed/10)
+        raise Exception("Timeout {} > {}".format(elapsed,timeout))
 
     def get_used_time(self,timeout = None):
         self.get_result(timeout)
diff --git a/src/run.py b/src/run.py
index 180af09..3065cda 100644
--- a/src/run.py
+++ b/src/run.py
@@ -2,7 +2,7 @@
 import clickhouse_driver
 import openlookeng_driver
 import json,time,logging,sys,os
-import configparser
+import configparser,shutil
 from sql_filter import *
 olconfig = {}
 chconfig = {}
@@ -21,6 +21,16 @@ def execute_sql(client,sql):
     ans = client.execute(sql)
     end = time.time()
     return end-start
+
+def wc_l(filename):
+    try:
+        with open(filename,"r") as file:
+            content = file.readlines()
+        os.remove(filename)
+        return len(content)
+    except Exception as e:
+        return 0
+
     
 def get_current_time():
     return time.strftime("%Y-%m-%d-%H-%M-%S", time.localtime())
@@ -82,50 +92,92 @@ def run_olk(test_sql,now_time = '2021'):
         try:
             web_result = client.web_execute(run_sql)
             used_time = float(web_result.get_used_time(sql_timeout))  # second
-            #web_result.download_csv(run_loc + "../log/" + now_time + "/" + str(k)+".csv")
             web_result.download_csv("{}../log/{}/{}.csv".format(run_loc,now_time,str(k)))
             total_time += used_time
             result['used_time'] = used_time
-            result['data_num'] = 0
+            result['data_num'] = wc_l("{}../log/{}/{}.csv".format(run_loc,now_time,str(k)))
             suc_num += 1
             print("running {} success , {}√，{}×".format(k,suc_num,fail_num))
         except Exception as e:
             result['used_time'] = -1
-            result['data_num'] = 0
+            result['data_num'] = -1
             result['info'] = str(e)
             fail_num += 1
             print("running {} failed  , {}√，{}× {}".format(k,suc_num,fail_num,result['info'].replace('\n','')[:40]))
         results[k] = result
         try:
-            file = open(run_loc + "../log/ol-" + now_time + ".json",'w')
-            file.write(json.dumps(results))
-            file.close()
+            with open(run_loc + "../log/ol-" + now_time + ".json",'w') as file:
+                file.write(json.dumps(results))
+            with open(run_loc + "../log/ol-result.log","a+") as file:
+                file.write("{} {} success num: {}  failed num: {} \n".format(k,now_time,suc_num,fail_num))
         except Exception as e:
-            print("error",e)
+            print(e)
+    path = "{}../log/{}".format(run_loc,now_time)
+    if os.path.exists(path):
+        shutil.rmtree(path)
+    time.sleep(10)
+
+def run_explain(test_sql,now_time = '2021'):
+    client = openlookeng_driver.Client(host=olconfig['host'],port=int(olconfig['port']),user=olconfig['user'],catalog=olconfig['catalog'],schema=olconfig['schema'])
+    results = {}
+    total_time = 0
+    suc_num,fail_num = 0,0
+    os.mkdir(run_loc + "../log/" + now_time)
+    for k,v in test_sql.items():
+        result = {}
+        ## add explain
+        run_sql = "explain " + change_sql('ol',v)
+        result['sql'] = run_sql
         try:
-            with open(run_loc + "../log/ol-result.log","a+") as file:
+            web_result = client.web_execute(run_sql)
+            used_time = float(web_result.get_used_time(sql_timeout))  # second
+            web_result.download_csv("{}../log/{}/{}.csv".format(run_loc,now_time,str(k)))
+            total_time += used_time
+            result['used_time'] = used_time
+            suc_num += 1
+            print("running explain {} success , {}√，{}×".format(k,suc_num,fail_num))
+        except Exception as e:
+            result['used_time'] = -1
+            result['data_num'] = -1
+            result['info'] = str(e)
+            fail_num += 1
+            print("running explain {} failed  , {}√，{}× {}".format(k,suc_num,fail_num,result['info'].replace('\n','')[:40]))
+        results[k] = result
+        try:
+            with open(run_loc + "../log/explain-" + now_time + ".json",'w') as file:
+                file.write(json.dumps(results))
+            with open(run_loc + "../log/explain-result.log","a+") as file:
                 file.write("{} {} success num: {}  failed num: {} \n".format(k,now_time,suc_num,fail_num))
         except Exception as e:
             print(e)
     time.sleep(10)
 
+
 def ch_poc():
     with open(run_loc + "poc-ch.json",'r') as file:
         now_time = get_current_time()
         poc = json.loads(file.read())
         # temp solve datetime error issue
         if (datetime_flag):
-            poc = test_exclude_toDateTime('ch',poc)
+            poc = no_exclude('ch',poc)
         run_ch(poc,now_time)
 
 def ol_poc():
-    with open(run_loc + "auto-ol.json",'r') as file:
+    with open(run_loc + "ckdb-ol.json",'r') as file:
         now_time = get_current_time()
         poc = json.loads(file.read())
         if (datetime_flag):
-            poc = test_exclude_toDateTime('ol',poc)
+            poc = no_exclude('ol',poc)
         run_olk(poc,now_time)
 
+def explain_poc():
+    with open(run_loc + "ckdb-ol.json",'r') as file:
+        now_time = get_current_time()
+        poc = json.loads(file.read())
+        if (datetime_flag):
+            poc = no_exclude('e',poc)
+        run_explain(poc,now_time)
+
 
 def read_conf():
     global time1,time2,sql_timeout,olconfig,chconfig,run_loc,datetime_flag
@@ -140,8 +192,8 @@ def read_conf():
     
     sql_timeout = config.get("run","time_out") # default 900s 15min
 
-    ch_sector = "clickhouse-local"
-    ol_sector = "openlookeng-local"
+    ch_sector = "clickhouse"
+    ol_sector = "openlookeng"
 
     chconfig['host'] = config.get(ch_sector,"host")
     chconfig['port'] = str(config.get(ch_sector,"port"))
@@ -163,10 +215,14 @@ if __name__ == "__main__":
     if sys.argv[1] == 'ch':
         print("run ch")
         ch_poc()
-    else:
+    elif sys.argv[1] == 'ol':
         print("run ol")
         ol_poc()
-    
+    elif sys.argv[1] == 'explain':
+        print("run explain")
+        explain_poc()
+    else:
+        print("error")
 
     
         
diff --git a/src/sql_filter.py b/src/sql_filter.py
index d861ac7..ece21bf 100644
--- a/src/sql_filter.py
+++ b/src/sql_filter.py
@@ -13,6 +13,17 @@ def exclude_toDateTime(mode,sql):
     return sql
 
 
+
+def explain_test(sql1):
+    run_keys = ['Q1','Q2','Q3','Q4','Q5','Q6','Q7','Q8','Q9','Q10']
+    sql = {}
+    for key in run_keys:
+        sql[key] = sql1[key]
+    return sql
+
+
+def no_exclude(mode,sql1):
+    return sql1
 def test_exclude_toDateTime(mode,sql1):
     run_keys = ['Q1', 'Q2', 'Q3', 'Q4', 'Q5', 'Q6', 
                 'Q7', 'Q8', 'Q9', 'Q10', 'Q11', 'Q12', 'Q13',