CCE仪表盘模板

前提条件

• 已采集CCE日志，详情请参见云容器引擎CCE应用日志接入LTS。
• 日志配置结构化，详情请参见设置云端结构化解析日志。

查看CCE日志节点操作

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志节点操作”，查看图表详情。
   • 过滤节点名称，所关联的查询分析语句如下所示：

     select distinct("objectRef.name")

   • 过滤操作用户，所关联的查询分析语句如下所示：

     select distinct("user.username")

   • 过滤状态码，所关联的查询分析语句如下所示：

     select distinct("responseStatus.code")

   • 过滤操作类型，所关联的查询分析语句如下所示：

     select distinct("verb")

   • 节点数趋势图表所关联的查询分析语句如下所示：

     SELECT  time_series( TIME_PARSE(LEFT(requestReceivedTimestamp, 23),'yyyy-MM-dd''T''HH:mm:ss.SSS'), 'PT1H', 'yyyy-MM-dd HH', '0' ) as "dt",  count(DISTINCT("objectRef.name")) as "节点数" where "objectRef.resource" = 'nodes'  and "objectRef.subresource" = 'status'  and "verb" in ('update', 'patch') and "user.username" = 'system:node' group by   "dt" order by  "dt" desc limit  10000

   • 非系统用户操作趋势图表所关联的查询分析语句如下所示：

     SELECT time_series( TIME_PARSE(LEFT(requestReceivedTimestamp, 23),'yyyy-MM-dd''T''HH:mm:ss.SSS'), 'PT1H', 'yyyy-MM-dd HH', '0' ) as "dt", count(*) as "请求", "user.username"  where "objectRef.resource" = 'nodes' and "user.username" not in ( 'kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like  'system:%' and "verb" in ('create','delete','update','patch') group by "dt", "user.username" order by "dt","请求" desc limit 10000

   • create操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'create' group by "状态码"

   • delete操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'delete' group by "状态码"

   • patch操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'patch' group by "状态码"

   • update操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'update' group by "状态码"

   • 节点封锁/解除封锁操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*)  as "count" where "requestObject" in ('{"spec":{"unschedulable":false}}','{"spec":{"unschedulable":true}}')  group by "状态码"

   • Label操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where  "objectRef.resource" = 'nodes' and "verb" in ('patch','update') and "requestObject" = 'labels' and "requestObject" = 'metadata' group by "状态码"

   • Taint操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" in ('patch','update') and "requestObject" = 'taints' group by "状态码"

   • 驱逐操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.subresource" = 'eviction' and "objectRef.resource" = 'pods' and "verb" = 'create' group by "状态码"

   • 节点增删操作列表图表所关联的查询分析语句如下所示：

     select  "auditID" AS "Audit ID", "objectRef.name" AS "节点名", "verb" AS "操作动作", "stageTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'nodes' and "verb" in ('create','delete')

   • Taint操作列表图表所关联的查询分析语句如下所示：

     select  "auditID" AS "Audit ID", "objectRef.name" AS "节点名","requestObject" AS "Taints",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'nodes' and "verb" = 'patch' and "requestObject" = 'taints'

   • 驱逐操作列表图表所关联的查询分析语句如下所示：

     select  "auditID" AS "Audit ID", "objectRef.name" AS "pod", "sourceIPs" AS "源地址",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'pods' and "verb" = 'create' and "objectRef.subresource" = 'eviction'

   • Label操作列表图表所关联的查询分析语句如下所示：

     select  "auditID" AS "Audit ID", "objectRef.name" AS "节点名", "requestObject" AS "Label", "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'nodes' and "verb" = 'patch' and "requestObject" = 'labels'

   • 封锁操作列表图表所关联的查询分析语句如下所示：

     select "auditID" AS "Audit ID", "objectRef.name" AS "节点名",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码" where "verb" = 'patch' and "objectRef.resource" = 'nodes' and "requestObject" ='true' and "requestObject" = 'unschedulable'

   • 取消封锁操作列表图表所关联的查询分析语句如下所示：

     select "auditID" AS "Audit ID", "objectRef.name" AS "节点名",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码" where "verb" = 'patch' and "objectRef.resource" = 'nodes' and "requestObject" not in ('true','taints','unschedulable')

查看CCE日志K8s对象操作

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志K8s对象操作”，查看图表详情。
   • 过滤命名空间，所关联的查询分析语句如下所示：

     select distinct("objectRef.namespace")

   • 过滤操作类型，所关联的查询分析语句如下所示：

     select distinct("verb")

   • 过滤状态码，所关联的查询分析语句如下所示：

     select distinct("responseStatus.code")

   • 过滤资源对象，所关联的查询分析语句如下所示：

     select distinct("objectRef.name")

   • 过滤资源类型，所关联的查询分析语句如下所示：

     select distinct("objectRef.resource")

   • 过滤操作用户，所关联的查询分析语句如下所示：

     select distinct("user.username")

   • 重要操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", "verb" as "操作类型", count(*)  as "count" where "verb" in ('create','delete','update','patch') and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by "dt","操作类型" order by "dt" limit 10000

   • 非系统用户操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", count(*) as "请求次数","user.username" WHERE "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like 'system:%'  and  "verb" in ('create','delete','update','patch')  and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresss','configmaps','secrets','pvcs')  group by "dt", "user.username"  limit 10000

   • create操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • delete操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • update操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • patch操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • create操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • delete操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • update操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • patch操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*)  as "count"  where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • create操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • delete操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • update操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • patch操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • create操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

   • delete操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

   • update操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

   • patch操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

查看CCE日志K8s事件查询

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志K8s对象操作”，查看图表详情。
   • 过滤命名空间，所关联的查询分析语句如下所示：

     select distinct("objectRef.namespace")

   • 过滤操作类型，所关联的查询分析语句如下所示：

     select distinct("verb")

   • 过滤状态码，所关联的查询分析语句如下所示：

     select distinct("responseStatus.code")

   • 过滤资源对象，所关联的查询分析语句如下所示：

     select distinct("objectRef.name")

   • 过滤资源类型，所关联的查询分析语句如下所示：

     select distinct("objectRef.resource")

   • 过滤操作用户，所关联的查询分析语句如下所示：

     select distinct("user.username")

   • 重要操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", "verb" as "操作类型", count(*)  as "count" where "verb" in ('create','delete','update','patch') and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by "dt","操作类型" order by "dt" limit 10000

   • 非系统用户操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", count(*) as "请求次数","user.username" WHERE "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like 'system:%'  and  "verb" in ('create','delete','update','patch')  and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresss','configmaps','secrets','pvcs')  group by "dt", "user.username"  limit 10000

   • create操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • delete操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • update操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • patch操作资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

   • create操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • delete操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • update操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • patch操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "操作用户", count(*)  as "count"  where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

   • create操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • delete操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • update操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • patch操作状态码分布图表所关联的查询分析语句如下所示：

     select cast("responseStatus.code" as varchar) as "状态码", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

   • create操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

   • delete操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

   • update操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

   • patch操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

查看CCE日志K8s事件中心

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志K8s事件中心”，查看图表详情。
   • 事件等级分为Warning和Normal。
   • 过滤事件类型，所关联的查询分析语句如下所示：

     select distinct("name")

   • 过滤集群ID，所关联的查询分析语句如下所示：

     select distinct("cluster_id")

   • 过滤命名空间，所关联的查询分析语句如下所示：

     select distinct("namespace") 

   • 过滤名称，所关联的查询分析语句如下所示：

     select distinct("resource_name")

   • Conntrack Full图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'ConntrackFull'  ) )

   • 事件同步异常图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NTPIsDown') )

   • 节点Pid不足图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name" in ('PIDPressure','NodeHasPIDPressure') ) )

   • 节点FD不足图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeHasFDPressure') )

   • 节点磁盘空间不足图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeHasDiskPressure') )

   • Pod OOM图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where   "reason" in ('OOMKilling','PodOOMKilling')) )

   • DockerHung图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "reason" = 'DockerHung') )

   • 节点重启图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeRebooted') )

   • 镜像拉取失败图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "reason" = 'ImagePullBackOff') )

   • 节点OOM图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name" = 'SystemOOM') )

   • Pod启动失败图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "resource_kind" = 'Pod' and  "reason" = 'ImagePullBackOff') )

   • 事件分布图表所关联的查询分析语句如下所示：

     select "type", count(*) as "事件数" group by "type"

   • Warning事件趋势图表所关联的查询分析语句如下所示：

     select time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "dt",count(1) as "count"  from log  where "type" = 'Warning'  group by "dt" order by "dt"

   • Error事件趋势图表所关联的查询分析语句如下所示：

     select time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "dt",count(1) as "count" from log  where "type" = 'Error' group by "dt" order by "dt"

   • Pod OOM事件列表所关联的查询分析语句如下所示：

     select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00') as "Time", "resource_kind" as "事件目标", "name" as "类型", "resource_name" as "目标名", "reason" as "详细内容" from log where "name" in ('OOMKilling','PodOOMKilling') order by __time desc limit 100

   • Pod驱动事件列表所关联的查询分析语句如下所示：

     select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time", "resource_kind" as "事件目标", "name" as "类型", "resource_name" as "目标名", "reason" as "详细内容" from log where "name" = 'NodeControllerEviction' order by __time desc limit 100

   • 重要事件列表所关联的查询分析语句如下所示：

     select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time", "type" as "等级", "resource_kind" as "事件目标", "name" as "类型", "resource_name" as "目标名", "reason" as "详细内容" from log where "type" in ('Warning','Error') order by __time desc limit 100

查看CCE日志聚合检索

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志聚合检索”，查看图表详情。
   • 过滤命名空间，所关联的查询分析语句如下所示：

     select distinct("objectRef.namespace")

   • 过滤操作用户，所关联的查询分析语句如下所示：

     select distinct("user.username")

   • 过滤状态码，所关联的查询分析语句如下所示：

     select distinct("responseStatus.code")

   • 过滤操作类型，所关联的查询分析语句如下所示：

     select distinct("verb")

   • 过滤资源对象，所关联的查询分析语句如下所示：

     select distinct("objectRef.name")

   • 过滤资源类型，所关联的查询分析语句如下所示：

     select distinct("objectRef.resource")

   • 过滤请求URL，所关联的查询分析语句如下所示：

     select distinct("requestURI")

   • 过滤userAgent，所关联的查询分析语句如下所示：

     select distinct("userAgent")

   • 操作用户分布趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "user.username" as "操作用户", count(*) as "count" group by dt, "user.username" order by dt limit 10000

   • 命名空间分布趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.namespace" as "命名空间", count(*) as "count"  group by dt, "objectRef.namespace" order by dt limit 10000

   • 操作类型分布趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.namespace" as "命名空间", count(*) as "count"  group by dt, "objectRef.namespace" order by dt limit 10000

   • 状态码分布趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, cast("responseStatus.code" as varchar) as "返回码", count(*)  as "count" group by dt, "返回码" order by dt limit 10000

   • 资源类型分布趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" group by dt, "objectRef.resource" order by dt limit 10000	SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" group by dt, "objectRef.resource" order by dt limit 10000

   • 重要操作列表所关联的查询分析语句如下所示：

     select  "auditID" AS "Audit ID", "verb" AS "操作类型", "requestReceivedTimestamp" AS "开始时间", "stageTimestamp" AS "结束时间", "user.username" AS "操作账号", "sourceIPs" AS "操作源","userAgent","objectRef.namespace" AS "命名空间", CONCAT(CONCAT("objectRef.resource", '/'), "objectRef.subresource") AS "操作对象", "objectRef.name" AS "资源名", "responseStatus.code" AS "返回码"

查看CCE日志账号操作审计

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志账号操作审计”，查看图表详情。
   • 过滤用户名，所关联的查询分析语句如下所示：

     select distinct("user.username")

   • 过滤命名空间，所关联的查询分析语句如下所示：

     select distinct("objectRef.namespace")

   • 过滤状态码，所关联的查询分析语句如下所示：

     select distinct("responseStatus.code")

   • 资源创建数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "verb" = 'create') )

   • 资源修改数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" in ('update','patch')) )

   • 资源删除数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" = 'delete') )

   • 操作命名空间分布图表所关联的查询分析语句如下所示：

     select case when "objectRef.namespace" is null then '_all__' else "objectRef.namespace" end as ns, count(1) as total group by  ns  limit 10000

   • 删除资源分布图表所关联的查询分析语句如下所示：

     SELECT "objectRef.resource" as "resource", count(1) as "count" where  "verb" = 'delete' group by "resource"

   • 操作轨迹图表所关联的查询分析语句如下所示：

     select case  when "操作" is null then '无' else "操作" end as "操作", "时间", v from  (select concat(CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource"  end, '[', verb, ']'  ) as "操作", time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "时间", count(1) as v  from  log where "verb" in ('create', 'patch',  'update', 'delete')  group by "操作", "时间" order by "时间" desc  limit  10000  )

   • 资源操作分布图表所关联的查询分析语句如下所示：

     select CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource" end as "资源", verb as "操作", count(1) as total where "verb" in ('create','update','patch','delete') group by "资源", "操作" limit 10000

   • 创建资源列表所关联的查询分析语句如下所示：

     SELECT "auditID" as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", "requestObject" as "详细内容" where "verb" = 'create' order by __time desc limit 1000

   • 修改资源列表所关联的查询分析语句如下所示：

     SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间","requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('upate','patch') order by __time desc limit 1000 

   • 资源访问列表所关联的查询分析语句如下所示：

     SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('get','list') order by __time desc limit 1000

   • 资源删除列表所关联的查询分析语句如下所示：

     SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" = 'delete' order by __time desc limit 1000

查看CCE日志审计中心

1. 登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。
2. 在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志审计中心”，查看图表详情。
   • 过滤命名空间，所关联的查询分析语句如下所示：

     select distinct("objectRef.namespace")

   • 过滤操作用户，所关联的查询分析语句如下所示：

     select distinct("user.username")

   • 过滤操作类型，所关联的查询分析语句如下所示：

     select distinct("verb")

   • 过滤状态码，所关联的查询分析语句如下所示：

     select distinct("responseStatus.code")

   • 过滤资源对象，所关联的查询分析语句如下所示：

     select distinct("objectRef.name")

   • 过滤资源类型，所关联的查询分析语句如下所示：

     select distinct("objectRef.resource")

   • 过滤请求URL，所关联的查询分析语句如下所示：

     select distinct("requestURI")

   • 过滤UserAgent，所关联的查询分析语句如下所示：

     select distinct("userAgent")

   • 总审计记录数图表所关联的查询分析语句如下所示：

     select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log ) )

   • 操作用户数图表所关联的查询分析语句如下所示：

     select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(distinct("user.username")) as total from log ) )

   • 活跃节点数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(DISTINCT "user.username") as total     from log where "objectRef.resource" = 'nodes' and "objectRef.subresource" = 'status' and "verb" in ('update','put','patch') and "user.username" in ('node','system')) )

   • 异常访问次数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "responseStatus.code" >= 400) )

   • 敏感操作次数图表所关联的查询分析语句如下所示：

     select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1)  as "total" from log where ("verb" = 'create' AND "objectRef.subresource" = 'exec') OR ("verb" = 'create' AND "objectRef.subresource" = 'attach' AND "objectRef.resource" = 'pods') OR ("objectRef.resource" = 'secrets' AND "verb"= 'get' AND ( "user.username" != 'apiserver') AND ("user.username" not like 'system:node:%')) OR ("verb"= 'delete' AND ( "user.username" not like 'system:node:%') AND ( "user.username" not like 'system:serviceaccount:kube-system:%') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:kube-scheduler') AND ("user.username" != 'system:kube-controller-manager'))) )

   • 创建操作次数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'create') )

   • 更新操作次数图表所关联的查询分析语句如下所示：

     select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(1) as total from log where verb in ('update','patch')) )

   • 删除操作次数图表所关联的查询分析语句如下所示：

     select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'delete') )

   • 操作用户分布图表所关联的查询分析语句如下所示：

     select "user.username" as "用户名", count(*) as "count"  group by "用户名" order by "count" desc

   • 命名空间分布图表所关联的查询分析语句如下所示：

     select "objectRef.namespace" as "命名空间", count(*) as "count"  group by "命名空间"

   • 资源类型分布图表所关联的查询分析语句如下所示：

     select "objectRef.resource" as "资源类型", count(*) as "count"  group by "资源类型" order by "count" desc limit 20

   • 操作类型分布图表所关联的查询分析语句如下所示：

     select verb as "操作类型", count(*) as "count" group by "操作类型" order by "count" desc

   • 节点操作分布图表所关联的查询分析语句如下所示：

     select "verb" as "操作类型", count(*) as "count" where  "objectRef.resource" = 'nodes' AND ("verb" in ('create','delete') ) group by "操作类型" order by "count" desc

   • 工作负载操作分布图表所关联的查询分析语句如下所示：

     select "verb" as "操作类型", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('deployments','statefulsets','daemonsets','jobs','cronjobs') group by "操作类型" order by "count" desc

   • Service/Ingress操作分布图表所关联的查询分析语句如下所示：

     select "verb" as "操作类型", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('ingressess','services') group by "verb"  order by "count" desc

   • 重要操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", "verb", count(*) as "count" where "verb" in ('create','delete','update','patch') group by "dt", "verb" order by "dt" limit 10000

   • 非系统用户操作趋势图表所关联的查询分析语句如下所示：

     SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", count(*) as "count", "user.username" as "用户名称" where "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','system','apiserver') group by "dt", "用户名称" order by "dt" limit 10000