本文导读

展开导读

文档首页/ 云日志服务 LTS/ 用户指南/ 日志可视化/ 使用仪表盘将日志可视化/ 日志仪表盘模板/ CCE仪表盘模板

CCE仪表盘模板

更新时间：2024-11-18 GMT+08:00

查看PDF

云容器引擎（Cloud Container Engine，简称CCE）提供高度可扩展的、高性能的企业级Kubernetes集群。

CCE仪表盘模板支持查看CCE日志节点操作、查看CCE日志K8s对象操作、查看CCE日志K8s事件查询、查看CCE日志K8s事件中心、查看CCE日志聚合检索、查看CCE日志账号操作审计和查看CCE日志审计中心。

前提条件

已采集CCE日志，详情请参见云容器引擎CCE应用日志接入LTS。
日志配置结构化，详情请参见设置云端结构化解析日志。

查看CCE日志节点操作

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志节点操作”，查看图表详情。

过滤节点名称，所关联的查询分析语句如下所示：
```
select distinct("objectRef.name")
```
过滤操作用户，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```
过滤状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```
过滤操作类型，所关联的查询分析语句如下所示：
```
select distinct("verb")
```

节点数趋势图表所关联的查询分析语句如下所示：

SELECT  time_series( TIME_PARSE(LEFT(requestReceivedTimestamp, 23),'yyyy-MM-dd''T''HH:mm:ss.SSS'), 'PT1H', 'yyyy-MM-dd HH', '0' ) as "dt",  count(DISTINCT("objectRef.name")) as "节点数" where "objectRef.resource" = 'nodes'  and "objectRef.subresource" = 'status'  and "verb" in ('update', 'patch') and "user.username" = 'system:node' group by   "dt" order by  "dt" desc limit  10000

非系统用户操作趋势图表所关联的查询分析语句如下所示：

SELECT time_series( TIME_PARSE(LEFT(requestReceivedTimestamp, 23),'yyyy-MM-dd''T''HH:mm:ss.SSS'), 'PT1H', 'yyyy-MM-dd HH', '0' ) as "dt", count(*) as "请求", "user.username"  where "objectRef.resource" = 'nodes' and "user.username" not in ( 'kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like  'system:%' and "verb" in ('create','delete','update','patch') group by "dt", "user.username" order by "dt","请求" desc limit 10000

create操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'create' group by "状态码"

delete操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'delete' group by "状态码"

patch操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'patch' group by "状态码"

update操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" = 'update' group by "状态码"

节点封锁/解除封锁操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*)  as "count" where "requestObject" in ('{"spec":{"unschedulable":false}}','{"spec":{"unschedulable":true}}')  group by "状态码"

Label操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where  "objectRef.resource" = 'nodes' and "verb" in ('patch','update') and "requestObject" = 'labels' and "requestObject" = 'metadata' group by "状态码"

Taint操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.resource" = 'nodes' and "verb" in ('patch','update') and "requestObject" = 'taints' group by "状态码"

驱逐操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "objectRef.subresource" = 'eviction' and "objectRef.resource" = 'pods' and "verb" = 'create' group by "状态码"

节点增删操作列表图表所关联的查询分析语句如下所示：

select  "auditID" AS "Audit ID", "objectRef.name" AS "节点名", "verb" AS "操作动作", "stageTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'nodes' and "verb" in ('create','delete')

Taint操作列表图表所关联的查询分析语句如下所示：

select  "auditID" AS "Audit ID", "objectRef.name" AS "节点名","requestObject" AS "Taints",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'nodes' and "verb" = 'patch' and "requestObject" = 'taints'

驱逐操作列表图表所关联的查询分析语句如下所示：

select  "auditID" AS "Audit ID", "objectRef.name" AS "pod", "sourceIPs" AS "源地址",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'pods' and "verb" = 'create' and "objectRef.subresource" = 'eviction'

Label操作列表图表所关联的查询分析语句如下所示：

select  "auditID" AS "Audit ID", "objectRef.name" AS "节点名", "requestObject" AS "Label", "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码"  where "objectRef.resource" = 'nodes' and "verb" = 'patch' and "requestObject" = 'labels'

封锁操作列表图表所关联的查询分析语句如下所示：

select "auditID" AS "Audit ID", "objectRef.name" AS "节点名",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码" where "verb" = 'patch' and "objectRef.resource" = 'nodes' and "requestObject" ='true' and "requestObject" = 'unschedulable'

取消封锁操作列表图表所关联的查询分析语句如下所示：

select "auditID" AS "Audit ID", "objectRef.name" AS "节点名",  "requestReceivedTimestamp" AS "操作时间", "user.username" AS "操作账号", "responseStatus.code" AS "状态码" where "verb" = 'patch' and "objectRef.resource" = 'nodes' and "requestObject" not in ('true','taints','unschedulable')

查看CCE日志K8s对象操作

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志K8s对象操作”，查看图表详情。

过滤命名空间，所关联的查询分析语句如下所示：
```
select distinct("objectRef.namespace")
```
过滤操作类型，所关联的查询分析语句如下所示：
```
select distinct("verb")
```
过滤状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```
过滤资源对象，所关联的查询分析语句如下所示：
```
select distinct("objectRef.name")
```
过滤资源类型，所关联的查询分析语句如下所示：
```
select distinct("objectRef.resource")
```
过滤操作用户，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```

重要操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", "verb" as "操作类型", count(*)  as "count" where "verb" in ('create','delete','update','patch') and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by "dt","操作类型" order by "dt" limit 10000

非系统用户操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", count(*) as "请求次数","user.username" WHERE "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like 'system:%'  and  "verb" in ('create','delete','update','patch')  and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresss','configmaps','secrets','pvcs')  group by "dt", "user.username"  limit 10000

create操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

delete操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

update操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

patch操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

create操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

delete操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

update操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

patch操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*)  as "count"  where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

create操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

delete操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

update操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

patch操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

create操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

delete操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

update操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

patch操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

查看CCE日志K8s事件查询

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志K8s对象操作”，查看图表详情。

过滤命名空间，所关联的查询分析语句如下所示：
```
select distinct("objectRef.namespace")
```
过滤操作类型，所关联的查询分析语句如下所示：
```
select distinct("verb")
```
过滤状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```
过滤资源对象，所关联的查询分析语句如下所示：
```
select distinct("objectRef.name")
```
过滤资源类型，所关联的查询分析语句如下所示：
```
select distinct("objectRef.resource")
```
过滤操作用户，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```

重要操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", "verb" as "操作类型", count(*)  as "count" where "verb" in ('create','delete','update','patch') and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by "dt","操作类型" order by "dt" limit 10000

非系统用户操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(requestReceivedTimestamp, 16),'T',' ') AS "dt", count(*) as "请求次数","user.username" WHERE "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','apiserver') and "user.username" not like 'system:%'  and  "verb" in ('create','delete','update','patch')  and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresss','configmaps','secrets','pvcs')  group by "dt", "user.username"  limit 10000

create操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

delete操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

update操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

patch操作资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by  "objectRef.resource"

create操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

delete操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

update操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"select "user.username" as "操作用户", count(*)  as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

patch操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "操作用户", count(*)  as "count"  where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "user.username"

create操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

delete操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

update操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

patch操作状态码分布图表所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims') group by  "responseStatus.code"

create操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'create' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

delete操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'delete' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

update操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" where "verb" = 'update' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

patch操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*)  as "count" where "verb" = 'patch' and "objectRef.resource" in ('deployments','statefulsets','cronjobs','daemonsets','jobs','pods','services','ingresses','configmaps','configmaps','persistentvolumeclaims')  group by dt, "objectRef.resource" order by dt limit 10000

查看CCE日志K8s事件中心

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志K8s事件中心”，查看图表详情。

事件等级分为Warning和Normal。
过滤事件类型，所关联的查询分析语句如下所示：
```
select distinct("name")
```
过滤集群ID，所关联的查询分析语句如下所示：
```
select distinct("cluster_id")
```
过滤命名空间，所关联的查询分析语句如下所示：
```
select distinct("namespace") 
```
过滤名称，所关联的查询分析语句如下所示：
```
select distinct("resource_name")
```

Conntrack Full图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'ConntrackFull'  ) )

事件同步异常图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NTPIsDown') )

节点Pid不足图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name" in ('PIDPressure','NodeHasPIDPressure') ) )

节点FD不足图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeHasFDPressure') )

节点磁盘空间不足图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeHasDiskPressure') )

Pod OOM图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where   "reason" in ('OOMKilling','PodOOMKilling')) )

DockerHung图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "reason" = 'DockerHung') )

节点重启图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'NodeRebooted') )

镜像拉取失败图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "reason" = 'ImagePullBackOff') )

节点OOM图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name" = 'SystemOOM') )

Pod启动失败图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( "total", 3600) as diff from( select count(1) as "total" from log where  "name"= 'Failed' and "resource_kind" = 'Pod' and  "reason" = 'ImagePullBackOff') )

事件分布图表所关联的查询分析语句如下所示：
```
select "type", count(*) as "事件数" group by "type"
```

Warning事件趋势图表所关联的查询分析语句如下所示：

select time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "dt",count(1) as "count"  from log  where "type" = 'Warning'  group by "dt" order by "dt"

Error事件趋势图表所关联的查询分析语句如下所示：

select time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "dt",count(1) as "count" from log  where "type" = 'Error' group by "dt" order by "dt"

Pod OOM事件列表所关联的查询分析语句如下所示：

select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00') as "Time", "resource_kind" as "事件目标", "name" as "类型", "resource_name" as "目标名", "reason" as "详细内容" from log where "name" in ('OOMKilling','PodOOMKilling') order by __time desc limit 100

Pod驱动事件列表所关联的查询分析语句如下所示：

select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time", "resource_kind" as "事件目标", "name" as "类型", "resource_name" as "目标名", "reason" as "详细内容" from log where "name" = 'NodeControllerEviction' order by __time desc limit 100

重要事件列表所关联的查询分析语句如下所示：

select TIME_FORMAT( __time, 'yyyy-MM-dd HH:mm:ss', '+08:00' ) as "Time", "type" as "等级", "resource_kind" as "事件目标", "name" as "类型", "resource_name" as "目标名", "reason" as "详细内容" from log where "type" in ('Warning','Error') order by __time desc limit 100

查看CCE日志聚合检索

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志聚合检索”，查看图表详情。

过滤命名空间，所关联的查询分析语句如下所示：
```
select distinct("objectRef.namespace")
```
过滤操作用户，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```
过滤状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```
过滤操作类型，所关联的查询分析语句如下所示：
```
select distinct("verb")
```
过滤资源对象，所关联的查询分析语句如下所示：
```
select distinct("objectRef.name")
```
过滤资源类型，所关联的查询分析语句如下所示：
```
select distinct("objectRef.resource")
```
过滤请求URL，所关联的查询分析语句如下所示：
```
select distinct("requestURI")
```
过滤userAgent，所关联的查询分析语句如下所示：
```
select distinct("userAgent")
```

操作用户分布趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "user.username" as "操作用户", count(*) as "count" group by dt, "user.username" order by dt limit 10000

命名空间分布趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.namespace" as "命名空间", count(*) as "count"  group by dt, "objectRef.namespace" order by dt limit 10000

操作类型分布趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.namespace" as "命名空间", count(*) as "count"  group by dt, "objectRef.namespace" order by dt limit 10000

状态码分布趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, cast("responseStatus.code" as varchar) as "返回码", count(*)  as "count" group by dt, "返回码" order by dt limit 10000

资源类型分布趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" group by dt, "objectRef.resource" order by dt limit 10000	SELECT REPLACE(LEFT(stageTimestamp, 16),'T',' ') AS dt, "objectRef.resource" as "资源类型", count(*) as "count" group by dt, "objectRef.resource" order by dt limit 10000

重要操作列表所关联的查询分析语句如下所示：

select  "auditID" AS "Audit ID", "verb" AS "操作类型", "requestReceivedTimestamp" AS "开始时间", "stageTimestamp" AS "结束时间", "user.username" AS "操作账号", "sourceIPs" AS "操作源","userAgent","objectRef.namespace" AS "命名空间", CONCAT(CONCAT("objectRef.resource", '/'), "objectRef.subresource") AS "操作对象", "objectRef.name" AS "资源名", "responseStatus.code" AS "返回码"

查看CCE日志账号操作审计

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志账号操作审计”，查看图表详情。

过滤用户名，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```
过滤命名空间，所关联的查询分析语句如下所示：
```
select distinct("objectRef.namespace")
```
过滤状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```

资源创建数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "verb" = 'create') )

资源修改数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" in ('update','patch')) )

资源删除数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" = 'delete') )

操作命名空间分布图表所关联的查询分析语句如下所示：

select case when "objectRef.namespace" is null then '_all__' else "objectRef.namespace" end as ns, count(1) as total group by  ns  limit 10000

删除资源分布图表所关联的查询分析语句如下所示：

SELECT "objectRef.resource" as "resource", count(1) as "count" where  "verb" = 'delete' group by "resource"

操作轨迹图表所关联的查询分析语句如下所示：

select case  when "操作" is null then '无' else "操作" end as "操作", "时间", v from  (select concat(CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource"  end, '[', verb, ']'  ) as "操作", time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "时间", count(1) as v  from  log where "verb" in ('create', 'patch',  'update', 'delete')  group by "操作", "时间" order by "时间" desc  limit  10000  )

资源操作分布图表所关联的查询分析语句如下所示：

select CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource" end as "资源", verb as "操作", count(1) as total where "verb" in ('create','update','patch','delete') group by "资源", "操作" limit 10000

创建资源列表所关联的查询分析语句如下所示：

SELECT "auditID" as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", "requestObject" as "详细内容" where "verb" = 'create' order by __time desc limit 1000

修改资源列表所关联的查询分析语句如下所示：

SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间","requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('upate','patch') order by __time desc limit 1000

资源访问列表所关联的查询分析语句如下所示：

SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('get','list') order by __time desc limit 1000

资源删除列表所关联的查询分析语句如下所示：

SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" = 'delete' order by __time desc limit 1000

查看CCE日志审计中心

登录云日志服务控制台，在左侧导航栏中选择“仪表盘 ”。

在仪表盘模板下方，选择“CCE仪表盘模板 > CCE日志审计中心”，查看图表详情。

过滤命名空间，所关联的查询分析语句如下所示：
```
select distinct("objectRef.namespace")
```
过滤操作用户，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```
过滤操作类型，所关联的查询分析语句如下所示：
```
select distinct("verb")
```
过滤状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```
过滤资源对象，所关联的查询分析语句如下所示：
```
select distinct("objectRef.name")
```
过滤资源类型，所关联的查询分析语句如下所示：
```
select distinct("objectRef.resource")
```
过滤请求URL，所关联的查询分析语句如下所示：
```
select distinct("requestURI")
```
过滤UserAgent，所关联的查询分析语句如下所示：
```
select distinct("userAgent")
```

总审计记录数图表所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log ) )

操作用户数图表所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(distinct("user.username")) as total from log ) )

活跃节点数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(DISTINCT "user.username") as total     from log where "objectRef.resource" = 'nodes' and "objectRef.subresource" = 'status' and "verb" in ('update','put','patch') and "user.username" in ('node','system')) )

异常访问次数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "responseStatus.code" >= 400) )

敏感操作次数图表所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1)  as "total" from log where ("verb" = 'create' AND "objectRef.subresource" = 'exec') OR ("verb" = 'create' AND "objectRef.subresource" = 'attach' AND "objectRef.resource" = 'pods') OR ("objectRef.resource" = 'secrets' AND "verb"= 'get' AND ( "user.username" != 'apiserver') AND ("user.username" not like 'system:node:%')) OR ("verb"= 'delete' AND ( "user.username" not like 'system:node:%') AND ( "user.username" not like 'system:serviceaccount:kube-system:%') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:kube-scheduler') AND ("user.username" != 'system:kube-controller-manager'))) )

创建操作次数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'create') )

更新操作次数图表所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(1) as total from log where verb in ('update','patch')) )

删除操作次数图表所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'delete') )

操作用户分布图表所关联的查询分析语句如下所示：

select "user.username" as "用户名", count(*) as "count"  group by "用户名" order by "count" desc

命名空间分布图表所关联的查询分析语句如下所示：

select "objectRef.namespace" as "命名空间", count(*) as "count"  group by "命名空间"

资源类型分布图表所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count"  group by "资源类型" order by "count" desc limit 20

操作类型分布图表所关联的查询分析语句如下所示：

select verb as "操作类型", count(*) as "count" group by "操作类型" order by "count" desc

节点操作分布图表所关联的查询分析语句如下所示：

select "verb" as "操作类型", count(*) as "count" where  "objectRef.resource" = 'nodes' AND ("verb" in ('create','delete') ) group by "操作类型" order by "count" desc

工作负载操作分布图表所关联的查询分析语句如下所示：

select "verb" as "操作类型", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('deployments','statefulsets','daemonsets','jobs','cronjobs') group by "操作类型" order by "count" desc

Service/Ingress操作分布图表所关联的查询分析语句如下所示：

select "verb" as "操作类型", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('ingressess','services') group by "verb"  order by "count" desc

重要操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", "verb", count(*) as "count" where "verb" in ('create','delete','update','patch') group by "dt", "verb" order by "dt" limit 10000

非系统用户操作趋势图表所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", count(*) as "count", "user.username" as "用户名称" where "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','system','apiserver') group by "dt", "用户名称" order by "dt" limit 10000

父主题： 日志仪表盘模板

上一篇：APIG仪表盘模板

下一篇：CDN仪表盘模板

意见反馈

文档内容是否对您有帮助？

有帮助没帮助

提供反馈

提交成功！非常感谢您的反馈，我们会继续努力做到更好！

系统繁忙，请稍后重试

在使用文档中是否遇到以下问题

内容与产品页面不一致

内容不易理解

缺失示例代码

步骤不可操作

搜不到想要的内容

缺少最佳实践

意见反馈（选填）

0/500

请至少选择一项反馈信息并填写问题反馈

字符长度不能超过500

直接提交取消

CCE仪表盘模板

前提条件

查看CCE日志节点操作

查看CCE日志K8s对象操作

查看CCE日志K8s事件查询

查看CCE日志K8s事件中心

查看CCE日志聚合检索

查看CCE日志账号操作审计

查看CCE日志审计中心

意见反馈

文档内容是否对您有帮助？

文档反馈