Help Center/ Log Tank Service/ User Guide/ Log Visualization/ Visualizing Logs in Dashboards/ Dashboard Templates (SQL Analysis)/ VPC Dashboard Templates

Updated on 2026-02-11 GMT+08:00

View PDF

VPC Dashboard Templates

A VPC is an isolated and private virtual network environment. You can configure the IP address ranges, subnets, and security groups, assign EIPs, and allocate bandwidth for a VPC. VPC flow logs capture information about traffic going to and from your VPC. These logs help you monitor network traffic, analyze network attacks, and validate and optimize your security group and Access Control List (ACL) rules.

LTS provides a one-stop wizard to collect VPC logs. It also enables structuring and offers a dashboard for VPC logs. The VPC Flow Logs dashboard displays the total actions, total accepted bytes/packets, total rejected bytes/packets, action source distribution, number of actions per minute, action result distribution, flow log records distribution by status, carrier distribution of action sources, top 5 sources/destinations by bytes, packets per minute by protocol, and ENIs per protocol.

Prerequisites

Logs have been structured. For details, see Setting Cloud Structuring Parsing.

Viewing VPC Flow Logs

Log in to the management console and choose Management & Deployment > Log Tank Service.
In the navigation pane, choose Log Management.
In the Log Applications area, click VPC Flow Log Center and choose Access Dashboard.

Choose VPC Dashboard Templates under Dashboard Templates and click VPC Flow Logs to view the detailed charts.

Total Actions. The associated query and analysis statement is:

select CASE WHEN total_actions < 1000 THEN concat(cast( total_actions AS VARCHAR), '') WHEN total_actions < 1000 * 1000 THEN concat(cast(round(total_actions / 1000.0, 2) AS VARCHAR),' thousand') WHEN total_actions < 1000000000 THEN concat(cast(round(total_actions / 1000000.0, 2) AS VARCHAR),' million') WHEN total_actions / 1000.0 < 1000000000 THEN concat(cast(round(total_actions / 1000 / 1000000.0, 1) AS VARCHAR),' billion') ELSE concat(cast(round(total_actions / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),' trillion') END AS "total_actions" from (select count(1) as total_actions where log_status='OK' and version=1)

Total Accepted Bytes. The associated query and analysis statement is:

select CASE WHEN accept_bytes < 1024 THEN concat(cast( accept_bytes AS VARCHAR), 'B') WHEN accept_bytes < 1024 * 1024 THEN concat(cast(round(accept_bytes / 1024, 2) AS VARCHAR),'KB') WHEN accept_bytes < 1000000000 THEN concat(cast(round(accept_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_bytes / 1000.0 < 1000000000 THEN concat(cast(round(accept_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "accept_bytes" from (select sum(bytes) as accept_bytes where log_status='OK' and version=1 and action='ACCEPT')

Total Accepted Packets. The associated query and analysis statement is:

select CASE WHEN accept_packets < 1024 THEN concat(cast( accept_packets AS VARCHAR), 'B') WHEN accept_packets < 1024 * 1024 THEN concat(cast(round(accept_packets / 1024, 2) AS VARCHAR),'KB') WHEN accept_packets < 1000000000 THEN concat(cast(round(accept_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_packets / 1000.0 < 1000000000 THEN concat(cast(round(accept_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "accept_packets" from (select sum(packets) as accept_packets where log_status='OK' and version=1 and action='ACCEPT')

Total Rejected Bytes. The associated query and analysis statement is:

select CASE WHEN reject_bytes < 1024 THEN concat(cast( reject_bytes AS VARCHAR), 'B') WHEN reject_bytes < 1024 * 1024 THEN concat(cast(round(reject_bytes / 1024, 2) AS VARCHAR),'KB') WHEN reject_bytes < 1000000000 THEN concat(cast(round(reject_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_bytes / 1000.0 < 1000000000 THEN concat(cast(round(reject_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "reject_bytes" from (select sum(bytes) as reject_bytes where log_status='OK' and version=1 and action='REJECT')

Total Rejected Packets. The associated query and analysis statement is:

select CASE WHEN reject_packets < 1024 THEN concat(cast( reject_packets AS VARCHAR), 'B') WHEN reject_packets < 1024 * 1024 THEN concat(cast(round(reject_packets / 1024, 2) AS VARCHAR),'KB') WHEN reject_packets < 1000000000 THEN concat(cast(round(reject_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_packets / 1000.0 < 1000000000 THEN concat(cast(round(reject_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "reject_packets" from (select sum(packets) as reject_packets where log_status='OK' and version=1 and action='REJECT')

Action Sources. The associated query and analysis statement is:

select IP_TO_PROVINCE(srcaddr) as province, count(1) as total_actions where IP_TO_COUNTRY (srcaddr) = 'China'  group by province HAVING province not in ('','Reserved address','*')

Actions/Min. The associated query and analysis statement is:

select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as "t", "action", count(1) as "total_actions" where log_status='OK' and version=1 group by "t", "action" order by t asc limit 1000

Action Results. The associated query and analysis statement is:

select action, count(1) as total_actions where log_status='OK' and version=1 group by action

Flow Log Records By Status. The associated query and analysis statement is:

select log_status, count(1) as total_actions where version=1 group by log_status

Carriers of Action Source. The associated query and analysis statement is:

select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5

Top 5 Sources by Bytes. The associated query and analysis statement is:

select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5

Top 5 Destinations by Bytes. The associated query and analysis statement is:

select dstaddr, sum(bytes) as total_bytes where log_status='OK' and version=1 group by dstaddr order by total_bytes desc limit 5

Top 5 Destination Ports by Packets. The associated query and analysis statement is:

select dstport, sum(packets) as total_packets where log_status='OK' and version=1 group by dstport order by total_packets desc limit 5

Packets/Min by Protocol. The associated query and analysis statement is:

select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as t, protocol, sum(packets) as total_packets where log_status='OK' and version=1 group by t, protocol order by t asc limit 1000

ENIs. The associated query and analysis statement is:

select interface_id as "ID", sum(packets) as 'Data Packets', sum(bytes) as 'Data Packet Size' where log_status='OK' and version=1 group by "ID"

Parent topic: Dashboard Templates (SQL Analysis)

Previous topic: Nginx Dashboard Templates

Next topic: WAF Dashboard Templates

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel