Help Center/ Log Tank Service/ User Guide/ Log Visualization/ Visualizing Logs in Dashboards/ Dashboard Templates (SQL Analysis)/ CCE Dashboard Templates
Updated on 2026-02-11 GMT+08:00
View PDF

CCE Dashboard Templates

CCE provides highly scalable, high-performance, enterprise-class Kubernetes clusters.

CCE dashboard templates support Viewing CCE Logs: Node Operations, Viewing CCE Logs: Kubernetes Object Operations, Viewing CCE Logs: Kubernetes Event Queries, Viewing CCE Logs: Kubernetes Event Center, Viewing CCE Logs: Aggregation Search, Viewing CCE Logs: Account Operations, and Viewing CCE Log Audit Center.

Prerequisites

Viewing CCE Logs: Node Operations

  1. Log in to the management console and choose Management & Deployment > Log Tank Service.
  2. In the navigation pane, choose Dashboards.
  3. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Logs: Node Operations to view the detailed charts.

    • Filter by node name. The associated query and analysis statement is: 
      select distinct("objectRef.name")
    • Filter by user. The associated query and analysis statement is: 
      select distinct("user.username")
    • Filter by status code. The associated query and analysis statement is: 
      select distinct("responseStatus.code")
    • Filter by operation type. The associated query and analysis statement is: 
      select distinct("verb")
    • Node Quantity Trend. The associated query and analysis statement is: 
      SELECT  time_series( TIME_PARSE(LEFT(requestReceivedTimestamp, 23),'yyyy-MM-dd''T''HH:mm:ss.SSS'), 'PT1H', 'yyyy-MM-dd HH', '0' ) as "dt",  count(DISTINCT("objectRef.name")) as "Nodes" where "objectRef.resource" = 'nodes'  and "objectRef.subresource" = 'status'  and "verb" in ('update', 'patch') and "user.username" = 'system:node' group by   "dt" order by  "dt" desc limit  10000
    • Non-System User Operation Trend. The associated query and analysis statement is: 
      SELECT time_series( TIME_PARSE(LEFT(requestReceivedTimestamp, 23),'yyyy-MM-dd''T''HH:mm:ss.SSS'), 'PT1H', 'yyyy-MM-dd HH', '0' ) as "dt", count(*) as "Requests", "user.username"  where "objectRef.resource" = 'nodes' and "user.username" not in ( 'kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like  'system:%' and "verb" in ('create','delete','update','patch') group by "dt", "user.username" order by "dt","Requests" desc limit 10000
    • create Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'create' group by "Status code"
    • delete Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'delete' group by "Status code"
    • patch Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'patch' group by "Status code"
    • update Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'update' group by "Status code"
    • Node Blocking/Unblocking Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*)  as "count" where "requestObject" in ('{"spec":{"unschedulable":false}}','{"spec":{"unschedulable":true}}')  group by "Status code"
    • Label Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where  "objectRef.resource" = 'nodes' and "verb" in ('patch','update') and "requestObject" = 'labels' and "requestObject" = 'metadata' group by "Status code"
    • Taint Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" in ('patch','update') and "requestObject" = 'taints' group by "Status code"
    • Eviction Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "objectRef.subresource" = 'eviction' and "objectRef.resource" = 'pods' and "verb" = 'create' group by "Status code"
    • Node Addition/Deletions. The associated query and analysis statement is: 
      select  "auditID" AS "Audit ID", "objectRef.name" AS "Node", "verb" AS "Operation", "stageTimestamp" AS "Occurred", "user.username" AS "Operator", "responseStatus.code" AS "Status Code"  where "objectRef.resource" = 'nodes' and "verb" in ('create','delete')
    • Taint Operations. The associated query and analysis statement is: 
      select  "auditID" AS "Audit ID", "objectRef.name" AS "Node","requestObject" AS "Taints",  "requestReceivedTimestamp" AS "Occurred", "user.username" AS "Operator", "responseStatus.code" AS "Status Code"  where "objectRef.resource" = 'nodes' and "verb" = 'patch' and "requestObject" = 'taints'
    • Eviction Operations. The associated query and analysis statement is: 
      select  "auditID" AS "Audit ID", "objectRef.name" AS "pod", "sourceIPs" AS "Source IP",  "requestReceivedTimestamp" AS "Occurred", "user.username" AS "Operator", "responseStatus.code" AS "Status Code"  where "objectRef.resource" = 'pods' and "verb" = 'create' and "objectRef.subresource" = 'eviction'
    • Label Operations. The associated query and analysis statement is: 
      select  "auditID" AS "Audit ID", "objectRef.name" AS "Node", "requestObject" AS "Label", "requestReceivedTimestamp" AS "Occurred", "user.username" AS "Operator", "responseStatus.code" AS "Status Code"  where "objectRef.resource" = 'nodes' and "verb" = 'patch' and "requestObject" = 'labels'
    • Blocking Operations. The associated query and analysis statement is: 
      select "auditID" AS "Audit ID", "objectRef.name" AS "Node",  "requestReceivedTimestamp" AS "Occurred", "user.username" AS "Operator", "responseStatus.code" AS "Status Code" where "verb" = 'patch' and "objectRef.resource" = 'nodes' and "requestObject" ='true' and "requestObject" = 'unschedulable'
    • Unblocking Operations. The associated query and analysis statement is: 
      select "auditID" AS "Audit ID", "objectRef.name" AS "Node",  "requestReceivedTimestamp" AS "Occurred", "user.username" AS "Operator", "responseStatus.code" AS "Status Code" where "verb" = 'patch' and "objectRef.resource" = 'nodes' and "requestObject" not in ('true','taints','unschedulable')

Viewing CCE Logs: Kubernetes Object Operations

  1. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Logs: Kubernetes Object Operations to view the detailed charts.

    • Filter by namespace. The associated query and analysis statement is: 
      select distinct("objectRef.namespace")
    • Filter by operation type. The associated query and analysis statement is: 
      select distinct("verb")
    • Filter by status code. The associated query and analysis statement is: 
      select distinct("responseStatus.code")
    • Filter by resource object. The associated query and analysis statement is: 
      select distinct("objectRef.name")
    • Filter by resource type. The associated query and analysis statement is: 
      select distinct("objectRef.resource")
    • Filter by user. The associated query and analysis statement is: 
      select distinct("user.username")
    • Major Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", "verb" as "Operation type", count(*)  as "count" where "verb" in ('create','delete','update','patch') and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by "dt","Operation type" order by "dt" limit 10000
    • Non-System User Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", count(*) as "Requests ","user.username" WHERE "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like 'system:%'  and  "verb" in ('create','delete','update','patch')  and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresss','configmaps','secrets','pvcs')  group by "dt", "user.username"  limit 10000
    • create Resources. The associated query and analysis statement is: 
      select "objectRef.resource" as "Resource type", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"
    • delete Resources. The associated query and analysis statement is: 
      select "objectRef.resource" as "Resource type", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"
    • update Resources. The associated query and analysis statement is: 
      select "objectRef.resource" as "Resource type", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"
    • patch Resources. The associated query and analysis statement is: 
      select "objectRef.resource" as "Resource type", count(*) as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"
    • create Users. The associated query and analysis statement is: 
      select "user.username" as "User", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"
    • delete Users. The associated query and analysis statement is: 
      select "user.username" as "User", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"
    • update Users. The associated query and analysis statement is: 
      select "user.username" as "User", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"select "user.username" as "User", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"
    • patch Users. The associated query and analysis statement is: 
      select "user.username" as "User", count(*)  as "count"  where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"
    • create Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"
    • delete Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"
    • update Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"
    • patch Codes. The associated query and analysis statement is: 
      select cast("responseStatus.code" as varchar) as "Status code", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"
    • create Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "Resource type", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000
    • delete Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "Resource type", count(*)  as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000
    • update Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "Resource type", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000
    • patch Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "Resource type", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

Viewing CCE Logs: Kubernetes Event Queries

  1. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Logs: Kubernetes Event Queries to view the detailed charts.

    • Event Level: Select Warning, Normal, or Error.
    • Filter by event type. The associated query and analysis statement is: 
      select distinct("name")
    • Filter by cluster ID. The associated query and analysis statement is: 
      select distinct("cluster_id")
    • Filter by namespace. The associated query and analysis statement is: 
      select distinct("namespace")
    • Filter by name. The associated query and analysis statement is: 
      select distinct("resource_name")
    • Total Events. The associated query and analysis statement is: 
      SELECT TIME_FORMAT( "_time_", 'yyyy-MM-dd HH:mm:ss', '' ) as "_time_","total" FROM ( SELECT TIME_CEIL ( __time, 'PT1H' ) AS "_time_", count( 1 ) AS "total" FROM log GROUP BY "_time_" )
    • Ordinary Events. The associated query and analysis statement is: 
      SELECT TIME_FORMAT( "_time_", 'yyyy-MM-dd HH:mm:ss', '' ) as "_time_","total" FROM ( SELECT TIME_CEIL ( __time, 'PT1H' ) AS "_time_", count( 1 ) AS "total" FROM log where "type" = 'Normal' GROUP BY "_time_" )
    • Warnings. The associated query and analysis statement is: 
       SELECT TIME_FORMAT( "_time_", 'yyyy-MM-dd HH:mm:ss', '' ) as "_time_","total" FROM ( SELECT TIME_CEIL ( __time, 'PT1H' ) AS "_time_", count( 1 ) AS "total" FROM log where "type" = 'Warning' GROUP BY "_time_" )
    • Errors. The associated query and analysis statement is: 
      SELECT TIME_FORMAT( "_time_", 'yyyy-MM-dd HH:mm:ss', '' ) as "_time_","total" FROM ( SELECT TIME_CEIL ( __time, 'PT1H' ) AS "_time_", count( 1 ) AS "total" FROM log  where "type" = 'Error' GROUP BY "_time_" )
    • Major Events. The associated query and analysis statement is: 
      select "name",count(1) as 'total' from log group by "name"
    • Major Event Statistics. The associated query and analysis statement is: 
      SELECT "type" as "Level", "name" as "Type", count(1) as "Total", "reason" as "Details" from log where "type" != 'Normal'  group by "type", "name", "reason" order by "Total" desc

    • Major Pod Event Statistics. The associated query and analysis statement is:

      SELECT "type" as "Level", "name" as "Type",  count(1) as "Total", "reason" as "Details"  from log where "type" != 'Normal'  and "resource_kind" = 'Pod' group by  "type",  "name", "reason" order by "Total" desc
    • Latest 100 Events. The associated query and analysis statement is: 
      select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time","type" as "Level", "name" as "Type", "reason" as "Details", "namespace" as "Namespace" from log order by __time desc limit 100

Viewing CCE Logs: Kubernetes Event Center

  1. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Logs: Kubernetes Event Center to view the detailed charts.

    • Event Level: Select Warning or Normal.
    • Filter by event type. The associated query and analysis statement is: 
      select distinct("name")
    • Filter by cluster ID. The associated query and analysis statement is: 
      select distinct("cluster_id")
    • Filter by namespace. The associated query and analysis statement is: 
      select distinct("namespace")
    • Filter by name. The associated query and analysis statement is: 
      select distinct("resource_name")
    • Conntrack Full. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'ConntrackFull'  ) )
    • Event Sync Error. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NTPIsDown') )
    • Insufficient Node PIDs. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name" in ('PIDPressure','NodeHasPIDPressure') ) )
    • Insufficient Node FDs. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeHasFDPressure') )
    • Insufficient Node Disk Space. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeHasDiskPressure') )
    • Pod OOM. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where   "reason" in ('OOMKilling','PodOOMKilling')) )
    • DockerHung. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "reason" = 'DockerHung') )
    • Node Restart. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeRebooted') )
    • Pull Image Failed. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "reason" = 'ImagePullBackOff') )
    • Node OOM. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name" = 'SystemOOM') )
    • Start Pod Failed. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "resource_kind" = 'Pod' and  "reason" = 'ImagePullBackOff') )
    • Event Distribution. The associated query and analysis statement is: 
      select "type", count(*) as "Events" group by "type"
    • Warning Event Trend. The associated query and analysis statement is: 
      select time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "dt",count(1) as "count"  from log  where "type" = 'Warning'  group by "dt" order by "dt"
    • Error Event Trend. The associated query and analysis statement is: 
      select time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "dt",count(1) as "count" from log  where "type" = 'Error' group by "dt" order by "dt"
    • Pod OOM Events. The associated query and analysis statement is: 
      select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00') as "Time", "resource_kind" as "Event Target", "name" as "Type", "resource_name" as "Target Name", "reason" as "Details" from log where "name" in ('OOMKilling','PodOOMKilling') order by __time desc limit 100
    • Pod Driver Event List. The associated query and analysis statement is: 
      select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time", "resource_kind" as "Event Target", "name" as "Type", "resource_name" as "Target Name", "reason" as "Details" from log where "name" = 'NodeControllerEviction' order by __time desc limit 100
    • Major Events. The associated query and analysis statement is: 
      select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time", "type" as "Level", "resource_kind" as "Event Target", "name" as "Type", "resource_name" as "Target Name", "reason" as "Details" from log where "type" in ('Warning','Error') order by __time desc limit 100

Viewing CCE Logs: Aggregation Search

  1. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Logs: Aggregation Search to view the detailed charts.

    • Filter by namespace. The associated query and analysis statement is: 
      select distinct("objectRef.namespace")
    • Filter by user. The associated query and analysis statement is: 
      select distinct("user.username")
    • Filter by status code. The associated query and analysis statement is: 
      select distinct("responseStatus.code")
    • Filter by operation type. The associated query and analysis statement is: 
      select distinct("verb")
    • Filter by resource object. The associated query and analysis statement is: 
      select distinct("objectRef.name")
    • Filter by resource type. The associated query and analysis statement is: 
      select distinct("objectRef.resource")
    • Filter by request URL. The associated query and analysis statement is: 
      select distinct("requestURI")
    • Filter by userAgent. The associated query and analysis statement is: 
      select distinct("userAgent")
    • User Distribution Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "user.username" as "User", count(*) as "count" group by dt, "user.username" order by dt limit 10000
    • Namespace Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.namespace" as "Namespace", count(*) as "count"  group by dt, "objectRef.namespace" order by dt limit 10000
    • Operation Type Trends. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.namespace" as "Namespace", count(*) as "count"  group by dt, "objectRef.namespace" order by dt limit 10000
    • Status Code Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, cast("responseStatus.code" as varchar) as "Return code", count(*)  as "count" group by dt, "Return code" order by dt limit 10000
    • Resource Type Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "Resource type", count(*) as "count" group by dt, "objectRef.resource" order by dt limit 10000 SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "Resource type", count(*) as "count" group by dt, "objectRef.resource" order by dt limit 10000
    • Major Operations. The associated query and analysis statement is: 
      select  "auditID" AS "Audit ID", "verb" AS "Operation Type", "requestReceivedTimestamp" AS "Started", "stageTimestamp" AS "Ended", "user.username" AS "Operator", "sourceIPs" AS "Operation Source","userAgent","objectRef.namespace" AS "Namespace", CONCAT(CONCAT("objectRef.resource", '/'), "objectRef.subresource") AS "Operation Object", "objectRef.name" AS "Resource Name", "responseStatus.code" AS "Return Code"

Viewing CCE Logs: Account Operations

  1. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Logs: Account Operations to view the detailed charts.

    • Filter by username. The associated query and analysis statement is: 
      select distinct("user.username")
    • Filter by namespace. The associated query and analysis statement is: 
      select distinct("objectRef.namespace")
    • Filter by status code. The associated query and analysis statement is: 
      select distinct("responseStatus.code")
    • Resources Created. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "verb" = 'create') )
    • Resources Modified. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" in ('update','patch')) )
    • Resources Deleted. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" = 'delete') )
    • Affected Namespaces. The associated query and analysis statement is: 
      select case when "objectRef.namespace" is null then '_all__' else "objectRef.namespace" end as ns, count(1) as total group by  ns  limit 10000
    • Deleted Resource. The associated query and analysis statement is: 
      SELECT "objectRef.resource" as "resource", count(1) as "count" where  "verb" = 'delete' group by "resource"
    • Operation History. The associated query and analysis statement is: 
      select case  when "Operation" is null then 'None' else "Operation" end as "Operation", "Time", v from  (select concat(CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource"  end, '[', verb, ']'  ) as "Operation", time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "Time", count(1) as v  from  log where "verb" in ('create', 'patch',  'update', 'delete')  group by "Operation", "Time" order by "Time" desc  limit  10000  )
    • Resource Operations. The associated query and analysis statement is: 
      select CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource" end as "Resource", verb as "Operation", count(1) as total where "verb" in ('create','update','patch','delete') group by "Resource", "Operation" limit 10000
    • Created Resources. The associated query and analysis statement is: 
      SELECT "auditID" as "Event ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "Occurred", "requestURI" as "Resource", "objectRef.name" as "Resource Name", "responseStatus.code" as "Status Code","sourceIPs" as "Source IP", "requestObject" as "Details" where "verb" = 'create' order by __time desc limit 1000
    • Modified Resources. The associated query and analysis statement is: 
      SELECT auditID as "Event ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "Occurred","requestURI" as "Resource", "objectRef.name" as "Resource Name", "responseStatus.code" as "Status Code","sourceIPs" as "Source IP", requestObject as "Details" where "verb" in ('upate','patch') order by __time desc limit 1000
    • Accessed Resources. The associated query and analysis statement is: 
      SELECT auditID as "Event ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "Occurred", "requestURI" as "Resource", "objectRef.name" as "Resource Name", "responseStatus.code" as "Status Code","sourceIPs" as "Source IP", requestObject as "Details" where "verb" in ('get','list') order by __time desc limit 1000
    • Deleted Resources. The associated query and analysis statement is: 
      SELECT auditID as "Event ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "Occurred", "requestURI" as "Resource", "objectRef.name" as "Resource Name", "responseStatus.code" as "Status Code","sourceIPs" as "Source IP", requestObject as "Details" where "verb" = 'delete' order by __time desc limit 1000

Viewing CCE Log Audit Center

  1. Choose CCE Dashboard Templates under Dashboard Templates and click CCE Log Audit Center to view the detailed charts.

    • Filter by namespace. The associated query and analysis statement is: 
      select distinct("objectRef.namespace")
    • Filter by user. The associated query and analysis statement is: 
      select distinct("user.username")
    • Filter by operation type. The associated query and analysis statement is: 
      select distinct("verb")
    • Filter by status code. The associated query and analysis statement is: 
      select distinct("responseStatus.code")
    • Filter by resource object. The associated query and analysis statement is: 
      select distinct("objectRef.name")
    • Filter by resource type. The associated query and analysis statement is: 
      select distinct("objectRef.resource")
    • Filter by request URL. The associated query and analysis statement is: 
      select distinct("requestURI")
    • Filter by UserAgent. The associated query and analysis statement is: 
      select distinct("userAgent")
    • Total Audit Records. The associated query and analysis statement is: 
      select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log ) )
    • Users. The associated query and analysis statement is: 
      select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(distinct("user.username")) as total from log ) )
    • Active Nodes. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(DISTINCT "user.username") as total     from log where "objectRef.resource" = 'nodes' and "objectRef.subresource" = 'status' and "verb" in ('update','put','patch') and "user.username" in ('node','system')) )
    • Abnormal Visits. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "responseStatus.code" >= 400) )
    • Sensitive Operations. The associated query and analysis statement is: 
      select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1)  as "total" from log where ("verb" = 'create' AND "objectRef.subresource" = 'exec') OR ("verb" = 'create' AND "objectRef.subresource" = 'attach' AND "objectRef.resource" = 'pods') OR ("objectRef.resource" = 'secrets' AND "verb"= 'get' AND ( "user.username" != 'apiserver') AND ("user.username" not like 'system:node:%')) OR ("verb"= 'delete' AND ( "user.username" not like 'system:node:%') AND ( "user.username" not like 'system:serviceaccount:kube-system:%') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:kube-scheduler') AND ("user.username" != 'system:kube-controller-manager'))) )
    • Creation Operations. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'create') )
    • Update Operations. The associated query and analysis statement is: 
      select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(1) as total from log where verb in ('update','patch')) )
    • Deletion Operations. The associated query and analysis statement is: 
      select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'delete') )
    • Users. The associated query and analysis statement is: 
      select "user.username" as "Username", count(*) as "count"  group by "Username" order by "count" desc
    • Namespaces. The associated query and analysis statement is: 
      select "objectRef.namespace" as "Namespace", count(*) as "count"  group by "Namespace"
    • Resource Types. The associated query and analysis statement is: 
      select "objectRef.resource" as "Resource type", count(*) as "count"  group by "Resource type" order by "count" desc limit 20
    • Operation Types. The associated query and analysis statement is: 
      select verb as "Operation type", count(*) as "count" group by "Operation type" order by "count" desc
    • Node Operations. The associated query and analysis statement is: 
      select "verb" as "Operation type", count(*) as "count" where  "objectRef.resource" = 'nodes' AND ("verb" in ('create','delete') ) group by "Operation type" order by "count" desc
    • Workload Operations. The associated query and analysis statement is: 
      select "verb" as "Operation type", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('deployments','statefulsets','daemonsets','jobs','cronjobs') group by "Operation type" order by "count" desc
    • Service/Ingress Operations. The associated query and analysis statement is: 
      select "verb" as "Operation type", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('ingressess','services') group by "verb"  order by "count" desc
    • Major Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", "verb", count(*) as "count" where "verb" in ('create','delete','update','patch') group by "dt", "verb" order by "dt" limit 10000
    • Non-System User Operation Trend. The associated query and analysis statement is: 
      SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", count(*) as "count", "user.username" as "Username" where "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','system','apiserver') group by "dt", "Username" order by "dt" limit 10000