{
    "pre": "use tsg_galaxy_v3",
    "Q1": "SELECT count(1) from connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)",
    "Q2": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) LIMIT 30",
    "Q3": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
    "Q4": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time asc LIMIT 30",
    "Q5": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
    "Q6": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
    "Q7": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
    "Q8": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
    "Q9": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
    "Q10": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
    "Q11": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
    "Q12": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
    "Q13": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
    "Q14": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
    "Q15": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
    "Q16": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
    "Q17": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
    "Q18": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
    "Q19": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
    "Q20": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
    "Q21": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
    "Q22": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q23": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account='abc@xx.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q24": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
    "Q25": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q26": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q27": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
    "Q28": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
    "Q29": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
    "Q30": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
    "Q31": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
    "Q32": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
    "Q33": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q34": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
    "Q35": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
    "Q36": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30",
    "Q37": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q38": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
    "Q39": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30",
    "Q40": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_internal_ip='223.116.37.192' ORDER BY common_recv_time DESC LIMIT 30",
    "Q41": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
    "Q42": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_external_ip='111.10.53.14' ORDER BY common_recv_time DESC LIMIT 30",
    "Q43": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_port=52607 ORDER BY common_recv_time DESC LIMIT 30",
    "Q44": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
    "Q45": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
    "Q46": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_pkt_num>5 ORDER BY common_recv_time DESC LIMIT 30",
    "Q47": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_c2s_byte_num>100 ORDER BY common_recv_time DESC LIMIT 30",
    "Q48": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_s2c_byte_num<200 ORDER BY common_recv_time DESC LIMIT 30",
    "Q49": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_schema_type='DNS' ORDER BY common_recv_time DESC LIMIT 30",
    "Q50": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_establish_latency_ms>200 ORDER BY common_recv_time DESC LIMIT 30",
    "Q51": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_con_duration_ms>10000 ORDER BY common_recv_time DESC LIMIT 30",
    "Q52": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30",
    "Q53": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_client_isn=2857077935 ORDER BY common_recv_time DESC LIMIT 30",
    "Q54": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_tcp_server_isn=0 ORDER BY common_recv_time DESC LIMIT 30",
    "Q55": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q56": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account='abc@xx.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q57": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_subject='test' ORDER BY common_recv_time DESC LIMIT 30",
    "Q58": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND dns_qname='qbwup.imtt.qq.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q59": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q60": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_con_latency_ms>100 ORDER BY common_recv_time DESC LIMIT 30",
    "Q61": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ORDER BY common_recv_time DESC LIMIT 30",
    "Q62": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30",
    "Q63": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='111.10.53.14' and common_server_port=443 ORDER BY common_recv_time DESC LIMIT 30",
    "Q64": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND mail_account like 'abc@%' ORDER BY common_recv_time DESC LIMIT 30",
    "Q65": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30",
    "Q66": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q67": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30",
    "Q68": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_port not in (80,443) ORDER BY common_recv_time DESC LIMIT 30",
    "Q69": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30",
    "Q70": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30",
    "Q71": "SELECT * FROM connection_record_log AS connection_record_log WHERE ckdb.function.toDateTime(common_recv_time) IN ( SELECT ckdb.function.toDateTime(common_recv_time) FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
    "Q72": "SELECT  * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
    "Q73": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE ckdb.function.toDateTime(common_recv_time) IN ( SELECT ckdb.function.toDateTime(common_recv_time) FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30",
    "Q74": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( select common_log_id FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)) ORDER BY common_recv_time DESC LIMIT 30",
    "Q75": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q76": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q77": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q78": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q79": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q80": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q81": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q82": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q83": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q84": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q85": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q86": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q87": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q88": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q89": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q90": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q91": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q92": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q93": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q94": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q95": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q96": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q97": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q98": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q99": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q100": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q101": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q102": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q103": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q104": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q105": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q106": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q107": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q108": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q109": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q110": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q111": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q112": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q113": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q114": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q115": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q116": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q117": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q118": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q119": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q120": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q121": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q122": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q123": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q124": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q125": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q126": "SELECT ckdb.function.toDateTime(common_recv_time) , common_log_id , common_client_ip , common_client_port , common_server_ip , common_server_port FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( Select common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time DESC LIMIT 30",
    "Q127": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q128": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q129": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q130": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q131": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q132": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q133": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q134": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q135": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q136": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q137": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
    "Q138": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q139": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_client_ip AS connection_record_log_common_client_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time DESC LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q140": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q141": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q142": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q143": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q144": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q145": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q146": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q147": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q148": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q149": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q150": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
    "Q151": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q152": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_server_ip AS connection_record_log_common_server_ip WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q153": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q154": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q155": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q156": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q157": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q158": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q159": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q160": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q161": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q162": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q163": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
    "Q164": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q165": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_http_domain AS connection_record_log_http_domain WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q166": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_log_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q167": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip='36.189.226.21' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q168": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_server_ip='8.8.8.8' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q169": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_sled_ip='%192.168%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q170": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_stream_trace_id=1153021139190754263 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q171": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain='microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q172": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni='note.youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q173": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_subscriber_id='%test%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q174": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain like '%baidu.com%' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q175": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND ssl_sni like '%youdao.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q176": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) ORDER BY common_recv_time desc LIMIT 30",
    "Q177": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 ) ORDER BY common_recv_time desc LIMIT 30",
    "Q178": "SELECT * FROM connection_record_log AS connection_record_log WHERE common_log_id IN ( SELECT common_log_id FROM connection_record_log_common_subscriber_id AS connection_record_log_common_subscriber_id WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ORDER BY common_recv_time LIMIT 30 ) AND ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain not like '%microsoft.com' ) ORDER BY common_recv_time desc LIMIT 30",
    "Q179": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", count(common_log_id) AS \"logs\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q180": "SELECT ckdb.function.toDateTime(cast(common_recv_time/30 as int) * 30) AS stat_time, sum(common_c2s_byte_num) AS bytes_sent, sum(common_s2c_byte_num) AS bytes_received, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/30 as int) * 30) ORDER BY stat_time ASC LIMIT 10000",
    "Q181": "SELECT ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) AS stat_time, common_schema_type AS type, sum(common_sessions) AS sessions, sum(common_c2s_byte_num + common_s2c_byte_num) AS bytes, sum(common_c2s_pkt_num + common_s2c_pkt_num) AS packets FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300), common_schema_type ORDER BY stat_time ASC LIMIT 10000",
    "Q182": "SELECT round(sum(common_s2c_byte_num) * 8 / 300,2) AS trafficInBits, round(sum(common_c2s_byte_num) * 8 / 300,2) AS trafficOutBits, round(sum(common_s2c_byte_num + common_c2s_byte_num) * 8 / 300,2) AS trafficTotalBits, round(sum(common_s2c_pkt_num) / 300,2) AS trafficInPackets, round(sum(common_c2s_pkt_num) / 300,2) AS trafficOutPackets, round(sum(common_s2c_pkt_num + common_c2s_pkt_num) / 300,2) AS trafficTotalPackets, round(sum(common_sessions) / 300,2) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)",
    "Q183": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", approx_distinct(common_internal_ip) AS \"Unique Internal IP\", approx_distinct(common_external_ip) AS \"Unique External IP\", approx_distinct(common_subscriber_id) AS \"Unique Subscriber ID\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q184": "SELECT 'all' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) UNION ALL SELECT 'tcp' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) UNION ALL SELECT 'UDP' AS type, approx_distinct(common_client_ip) AS client_ips, approx_distinct(common_internal_ip) AS internal_ips, approx_distinct(common_server_ip) AS server_ips, approx_distinct(common_external_ip) AS external_ips, approx_distinct(common_subscriber_id) as subscriber_ids FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND common_l4_protocol IN ( 'IPv4_UDP', 'IPv6_UDP' )",
    "Q185": "SELECT ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) AS stat_time, (CASE WHEN common_stream_dir = 1 THEN 'c2s' WHEN common_stream_dir = 2 THEN 's2c' WHEN common_stream_dir = 3 THEN 'double' ELSE 'None' END) AS type, sum(common_sessions) AS sessions FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300), common_stream_dir ORDER BY stat_time ASC LIMIT 10000",
    "Q186": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(common_sessions) AS \"Sessions\", sum(if(common_stream_dir <> 3, common_sessions, 0)) AS \"one_side_sessions\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", round(one_side_sessions / sessions, 2) AS one_side_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q187": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(common_c2s_byte_num + common_s2c_byte_num) AS \"Bytes\", sum(common_c2s_tcp_lostlen + common_s2c_tcp_lostlen) AS \"gap_loss_bytes\", round(gap_loss_bytes / bytes, 2) AS gap_loss_percent FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q188": "SELECT \"server_ip\" AS \"server_ip\" , SUM(coalesce(\"Bytes\",0)) AS \"Bytes\" , SUM(coalesce(\"bytes_sent\",0)) AS \"Sent\" , SUM(coalesce(\"bytes_received\",0)) AS \"Received\" , SUM(coalesce(\"Sessions\",0)) AS \"Sessions\" FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS \"bytes_sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"bytes_received\" , SUM(common_c2s_byte_num+common_s2c_byte_num) AS \"Bytes\" , SUM(coalesce(common_sessions,0)) AS \"Sessions\" , common_server_ip AS \"server_ip\" FROM connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(common_server_ip)!= 0 ) GROUP BY common_server_ip ORDER BY \"Bytes\" desc ) GROUP BY \"server_ip\" ORDER BY \"Bytes\" desc LIMIT 30",
    "Q189": "SELECT common_client_ip , COUNT(*) AS sessions FROM connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) GROUP BY common_client_ip ORDER BY sessions desc LIMIT 30",
    "Q190": "SELECT \"Server Port\" AS \"Server Port\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_server_port AS \"Server Port\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_l4_protocol IN ( 'IPv4_TCP', 'IPv6_TCP' ) ) GROUP BY common_server_port LIMIT 1048576) GROUP BY \"Server Port\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q191": "SELECT \"domain\" AS \"Website Domain\" , SUM(coalesce(\"Bytes\",0)) AS \"Throughput\" FROM ( SELECT SUM(coalesce(common_c2s_byte_num,0)) AS \"bytes_sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"bytes_received\" , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS \"Bytes\" , http_domain AS \"domain\" FROM connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain ORDER BY \"Bytes\" desc ) GROUP BY \"domain\" ORDER BY \"Throughput\" desc LIMIT 30",
    "Q192": "SELECT \"device_id\" AS \"device_id\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(common_c2s_byte_num + common_s2c_byte_num) AS Bytes, common_device_id AS \"device_id\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY common_device_id ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"device_id\" ORDER BY \"Bytes\" DESC LIMIT 30",
    "Q193": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Client IP\", 0)) AS \"Client IP\" FROM (SELECT http_domain AS \"Http.Domain\", approx_distinct(common_client_ip) AS \"Client IP\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain ORDER BY \"Client IP\" DESC LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Client IP\" DESC LIMIT 30",
    "Q194": "SELECT \"Domain\" AS \"Domain\", avg(coalesce(\"Avg Establish Latency(ms)\", 0)) AS \"Avg Establish Latency(ms)\" FROM (SELECT http_domain AS \"Domain\", avg(coalesce(common_establish_latency_ms, 0)) AS \"Avg Establish Latency(ms)\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Avg Establish Latency(ms)\" DESC LIMIT 100",
    "Q195": "SELECT \"source\" AS \"source\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) AS \"source\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY coalesce(nullif(common_subscriber_id, ''), nullif(common_client_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"source\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q196": "SELECT \"destination\" AS \"destination\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) AS \"destination\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY coalesce(nullif(http_domain, ''), nullif(common_server_ip, '')) ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"destination\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q197": "SELECT \"server_location\" AS \"server_location\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT arrayElement(splitByString(',', common_server_location), length(splitByString(',', common_server_location))) AS \"server_location\", sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY \"server_location\" ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"server_location\" ORDER BY \"Bytes\" DESC LIMIT 30",
    "Q198": "SELECT \"Http URL\" AS \"Http URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"Http URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY http_url LIMIT 1048576) GROUP BY \"Http URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q199": "SELECT \"server_ip\" AS \"server_ip\", groupUniqArray(coalesce(\"trans_app\", 0)) AS \"trans_app\", sum(coalesce(\"Bytes\", 0)) AS \"Bytes\", sum(coalesce(\"bytes_sent\", 0)) AS \"Sent\", sum(coalesce(\"bytes_received\", 0)) AS \"Received\" FROM (SELECT sum(coalesce(common_c2s_byte_num, 0)) AS \"bytes_sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"bytes_received\", sum(common_c2s_byte_num + common_s2c_byte_num) AS \"Bytes\", groupUniqArray(concat(common_l4_protocol, '/', toString(common_server_port))) AS \"trans_app\", common_server_ip AS \"server_ip\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(common_server_ip)!= 0 ) GROUP BY \"server_ip\" ORDER BY \"Bytes\" DESC LIMIT 1048576) GROUP BY \"server_ip\" ORDER BY \"Bytes\" DESC LIMIT 30",
    "Q200": "SELECT \"Subscriber ID\" AS \"Subscriber ID\", \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Http.Domain\", common_subscriber_id AS \"Subscriber ID\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 AND length(common_subscriber_id)!= 0 ) GROUP BY http_domain, common_subscriber_id ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"Subscriber ID\", \"Http.Domain\" ORDER BY \"Sessions\" DESC LIMIT 10000",
    "Q201": "SELECT \"Http.Domain\" AS \"Http.Domain\" , \"Server IP\" AS \"Server IP\" , SUM(coalesce(\"Bytes Sent\",0)) AS \"Bytes Sent\" FROM ( SELECT common_server_ip AS \"Server IP\" , http_domain AS \"Http.Domain\" , SUM(coalesce(common_c2s_byte_num+common_s2c_byte_num,0)) AS \"Bytes\" , SUM(coalesce(common_c2s_byte_num,0)) AS \"Bytes Sent\" , SUM(coalesce(common_s2c_byte_num,0)) AS \"Bytes Received\" FROM connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY common_server_ip , http_domain ORDER BY \"Bytes\" desc LIMIT 1048576 ) GROUP BY \"Http.Domain\" , \"Server IP\" ORDER BY \"Bytes Sent\" desc LIMIT 10000",
    "Q202": "SELECT \"Http.Domain\" AS \"Http.Domain\", \"Client IP\" AS \"Client IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_client_ip AS \"Client IP\", http_domain AS \"Http.Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY common_client_ip, http_domain ORDER BY \"Sessions\" DESC LIMIT 1048576) GROUP BY \"Http.Domain\", \"Client IP\" ORDER BY \"Sessions\" DESC LIMIT 10000",
    "Q203": "SELECT ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) AS _time , http_domain AS Domain, COUNT(DISTINCT(common_client_ip)) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 GROUP BY http_domain ORDER BY SUM(common_s2c_byte_num+common_c2s_byte_num) DESC LIMIT 5 ) GROUP BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) , http_domain ORDER BY ckdb.function.toDateTime(cast(common_recv_time/300 as int) * 300) DESC LIMIT 10000",
    "Q204": "SELECT ckdb.function.toDateTime(cast(common_recv_time/3600 as int) * 3600) AS stat_time , http_domain , approx_distinct(common_client_ip) AS nums FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1)-604800 AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND http_domain IN ( SELECT http_domain FROM connection_record_log AS connection_record_log WHERE common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) AND length(http_domain)!= 0 GROUP BY http_domain ORDER BY COUNT(*) desc LIMIT 5 ) group by ckdb.function.toDateTime(cast(common_recv_time/3600 as int) * 3600), http_domain ORDER BY stat_time desc LIMIT 10000",
    "Q205": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", common_device_id AS \"Device ID\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY cast(common_recv_time/300 as int) * 300,common_device_id LIMIT 10000",
    "Q206": "SELECT \"Internal IP\" AS \"Internal IP\", \"Sled IP\" AS \"Sled IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_sled_ip AS \"Sled IP\", common_internal_ip AS \"Internal IP\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY common_sled_ip, common_internal_ip LIMIT 1048576) GROUP BY \"Internal IP\", \"Sled IP\" ORDER BY \"Sessions\" DESC LIMIT 10000",
    "Q207": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_log_id=1153021139190754263 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q208": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q209": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_internal_ip='223.116.37.192' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q210": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='8.8.8.8' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q211": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_external_ip='111.10.53.14' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q212": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_port=52607 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q213": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port=443 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q214": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_pkt_num>5 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q215": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_pkt_num>5 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q216": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_byte_num>100 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q217": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_byte_num<200 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q218": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_schema_type='DNS' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q219": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_establish_latency_ms>200 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q220": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_con_duration_ms>10000 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q221": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_stream_trace_id=1153021139190754263 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q222": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_client_isn=2857077935 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q223": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_server_isn=0 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q224": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain='microsoft.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q225": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account='abc@xx.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q226": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_subject='test' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q227": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q228": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni='note.youdao.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q229": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_con_latency_ms>100 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q230": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q231": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q232": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q233": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account like 'abc@%' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q234": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain like '%baidu.com%' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q235": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni like '%youdao.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q236": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q237": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port not in (80,443) ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q238": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND length(http_domain)!= 0 ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q239": "SELECT cast(common_recv_time/300 as int) * 300 AS \"Receive Time\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes\", sum(coalesce(common_c2s_pkt_num + common_s2c_pkt_num, 0)) AS \"Packets\", sum(coalesce(common_sessions, 0)) AS \"New Sessions\", sum(coalesce(common_c2s_byte_num, 0)) AS \"Bytes Sent\", sum(coalesce(common_s2c_byte_num, 0)) AS \"Bytes Received\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\", sum(coalesce(common_s2c_pkt_num, 0)) AS \"Packets Received\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain not like '%microsoft.com' ) GROUP BY cast(common_recv_time/300 as int) * 300 LIMIT 10000",
    "Q240": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_log_id=1153021139190754263 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q241": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q242": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_internal_ip='223.116.37.192' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q243": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='8.8.8.8' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q244": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_external_ip='111.10.53.14' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q245": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_port=52607 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q246": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port=443 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q247": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_pkt_num>5 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q248": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_pkt_num>5 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q249": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_byte_num>100 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q250": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_byte_num<200 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q251": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_schema_type='DNS' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q252": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_establish_latency_ms>200 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q253": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_con_duration_ms>10000 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q254": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q255": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_client_isn=2857077935 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q256": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_server_isn=0 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q257": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain='microsoft.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q258": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account='abc@xx.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q259": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_subject='test' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q260": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q261": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni='note.youdao.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q262": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_con_latency_ms>100 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q263": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q264": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q265": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q266": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account like 'abc@%' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q267": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain like '%baidu.com%' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q268": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni like '%youdao.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q269": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q270": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port not in (80,443) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q271": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND length(http_domain)!= 0 ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q272": "SELECT \"Domain\" AS \"Domain\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_domain AS \"Domain\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain not like '%microsoft.com' ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Domain\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q273": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_log_id=1153021139190754263 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q274": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q275": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_internal_ip='223.116.37.192' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q276": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='8.8.8.8' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q277": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_external_ip='111.10.53.14' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q278": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_port=52607 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q279": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port=443 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q280": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_pkt_num>5 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q281": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_pkt_num>5 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q282": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_c2s_byte_num>100 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q283": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_s2c_byte_num<200 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q284": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_schema_type='DNS' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q285": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_establish_latency_ms>200 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q286": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_con_duration_ms>10000 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q287": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_stream_trace_id=1153021139190754263 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q288": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_client_isn=2857077935 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q289": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_tcp_server_isn=0 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q290": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain='microsoft.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q291": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account='abc@xx.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q292": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_subject='test' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q293": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND dns_qname='qbwup.imtt.qq.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q294": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni='note.youdao.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q295": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_con_latency_ms>100 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q296": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_ja3_hash='a0e9f5d64349fb13191bc781f81f42e1' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q297": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip='36.189.226.21' and common_server_ip='8.8.8.8' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q298": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_ip='111.10.53.14' and common_server_port=443 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q299": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND mail_account like 'abc@%' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q300": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain like '%baidu.com%' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q301": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND ssl_sni like '%youdao.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q302": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_client_ip in ('36.189.226.21','111.10.53.14') ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q303": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND common_server_port not in (80,443) ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q304": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND length(http_domain)!= 0 ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q305": "SELECT \"URL\" AS \"URL\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT http_url AS \"URL\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) AND http_domain not like '%microsoft.com' ) AND ( length(http_url)!= 0 ) GROUP BY http_url LIMIT 1048576) GROUP BY \"URL\" ORDER BY \"Sessions\" DESC LIMIT 30",
    "Q306": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Unique Client IP\", 0)) AS \"Unique Client IP\", sum(coalesce(\"Unique Subscriber ID\", 0)) AS \"Unique Subscriber ID\" FROM (SELECT http_domain AS \"Http.Domain\", approx_distinct(common_client_ip) AS \"Unique Client IP\", approx_distinct(common_subscriber_id) AS \"Unique Subscriber ID\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( length(http_domain)!= 0 ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Unique Client IP\" DESC LIMIT 100",
    "Q307": "SELECT \"Http.Domain\" AS \"Http.Domain\", sum(coalesce(\"Packets Sent\", 0)) AS \"Packets Sent\" FROM (SELECT http_domain AS \"Http.Domain\", sum(coalesce(common_c2s_pkt_num, 0)) AS \"Packets Sent\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY http_domain LIMIT 1048576) GROUP BY \"Http.Domain\" ORDER BY \"Packets Sent\" DESC LIMIT 100",
    "Q308": "SELECT \"Internal IP\" AS \"Internal IP\", \"External IP\" AS \"External IP\", \"Sled IP\" AS \"Sled IP\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_sled_ip AS \"Sled IP\", common_external_ip AS \"External IP\", common_internal_ip AS \"Internal IP\", sum(coalesce(common_c2s_byte_num + common_s2c_byte_num, 0)) AS \"Bytes Sent+Bytes Received\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY common_sled_ip, common_external_ip ,common_internal_ip LIMIT 1048576) GROUP BY \"Internal IP\", \"External IP\", \"Sled IP\" ORDER BY \"Sessions\" DESC LIMIT 500",
    "Q309": "SELECT \"Client ASN\" AS \"Client ASN\", \"Server ASN\" AS \"Server ASN\", sum(coalesce(\"Sessions\", 0)) AS \"Sessions\" FROM (SELECT common_server_asn AS \"Server ASN\", common_client_asn AS \"Client ASN\", sum(coalesce(common_sessions, 0)) AS \"Sessions\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) AND ( common_stream_dir != 3 ) GROUP BY common_server_asn, common_client_asn LIMIT 1048576) GROUP BY \"Client ASN\", \"Server ASN\" ORDER BY \"Sessions\" DESC LIMIT 500",
    "Q310": "SELECT \"SSL.SNI\" AS \"SSL.SNI\", \"Client IP\" AS \"Client IP\", avg(coalesce(\"Establish Latency(ms)\", 0)) AS \"Establish Latency(ms)\" FROM (SELECT common_client_ip AS \"Client IP\", ssl_sni AS \"SSL.SNI\", avg(coalesce(common_establish_latency_ms, 0)) AS \"Establish Latency(ms)\" FROM connection_record_log AS connection_record_log WHERE ( ( common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) ) ) GROUP BY common_client_ip, ssl_sni LIMIT 1048576) GROUP BY \"SSL.SNI\", \"Client IP\" ORDER BY \"Establish Latency(ms)\" DESC LIMIT 500",
    "Q311": "select  FROM_UNIXTIME(min(common_recv_time)) as \"First Seen\" , FROM_UNIXTIME(max(common_recv_time)) as \"Last Seen\" ,  median(http_response_lantency_ms) as \"Server Processing Time Median(ms)\", count(1) as Responses,any(common_server_location)  as Location from connection_record_log WHERE  common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)  AND  http_domain='baidu.com'",
    "Q312": "select common_client_ip as \"Client IP\" , avg(common_establish_latency_ms) as \"Establishing Time Mean(ms)\", count(1) as Responses,any(common_client_location) as Location from connection_record_log where  common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2)  and http_domain='baidu.com' group by \"Client IP\" order by Responses desc limit 100",
    "Q313": "select common_server_ip as \"Server IP\" , avg(http_response_lantency_ms) as \"Server Processing Time Mean(ms)\", count(1) as Responses,any(common_server_location) as Location from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and http_domain='baidu.com' group by \"Server IP\" order by Responses desc limit 100",
    "Q314": "select http_url as \"URI\" , avg(http_response_lantency_ms) as \"Server Processing Time Mean(ms)\", count(1) as Responses from connection_record_log where  common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and http_domain='baidu.com' group by http_url order by Responses desc limit 100",
    "Q315": "select  common_l7_protocol as \"Protocol\" , approx_distinct(common_client_ip) as \"Clients\" , approx_distinct(common_server_ip) as \"Servers\", count(1) as Sessions,sum(common_c2s_byte_num+common_s2c_byte_num)  as bytes from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and length(common_l7_protocol)!= 0  group by common_l7_protocol  order by bytes desc",
    "Q316": "select common_client_ip as \"Client IP\" , count(1) as Sessions,sum(common_c2s_byte_num) as \"Bytes Out\", sum(common_s2c_byte_num) as \"Bytes In\",any(common_client_location) as Location from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and common_l7_protocol='SIP' group by \"Client IP\" order by Sessions desc limit 100",
    "Q317": "select common_server_ip as \"Server IP\" , count(1) as Sessions,sum(common_c2s_byte_num) as \"Bytes Out\", sum(common_s2c_byte_num) as \"Bytes In\",any(common_server_location) as Location from connection_record_log where common_recv_time >= ckdb.function.toUnixTimestamp($time1) AND common_recv_time < ckdb.function.toUnixTimestamp($time2) and common_l7_protocol='SIP' group by \"Server IP\" order by Sessions desc limit 100"
}