I'll show you how to list all the clients of your's application HTTP endpoints, how large is the traffic they generate and how it's exactly distributed in a given period of time. That few queries below could easily reveal the knowledge about application dependencies (with a minimal effort on your end) that you might be not aware of.
At the very beginning I'm gonna show you how the log structure looks like in my case. It may differ how it would look like in your application but what's matter is to highlighting a values that you need to achieve our goal to find out who is calling your application endpoints.
JSON structure
- User Agent of the client - in my case it's passed in request headers as key user-agent which needs to be parsed first because even that key is auto-discovered by CloudWatch it contains a dash (-) in a key name so cannot be used in a query,
- value that distinguish Http Request Log - message,
- Http Request Method - context.method,
- Http Request Name - context.route - we cannot use exact URI that was called by client because the same URIs may differ when endpoint has param inside endpoint path e.g. {{id}} of the resource it refers to - which makes logs aggregation not possible,
- Caller IP - context.clientIp,
馃搳 List all the Clients per endpoint
fields @timestamp, @message, @logStream, @log | parse @message '"user-agent":["*"]' as userAgent | filter message = "HTTP_REQUEST" | display context.method, context.route, userAgent, context.clientIp | sort context.method, context.route, userAgent asc | dedup context.route, context.clientIp
fields @timestamp, @message, @logStream, @log | parse @message '"user-agent":["*"]' as userAgent | filter message = "HTTP_REQUEST" and ispresent(userAgent) | stats count(userAgent) as endpointCallByExternalService by userAgent | sort endpointCallByExternalService desc
Based on results above you need to manually parse each Client that you want to see in this chart and add it in the stats section to finally display it.
fields @timestamp, @message, @logStream, @log | parse @message '"user-agent":["*"]' as userAgent | parse userAgent /(?<isGo>Go-http-client?)/ | parse userAgent /(?<isSymfony>Symfony?)/ | parse userAgent /(?<isPostman>PostmanRuntime?)/ | parse userAgent /(?<isJava>Java?)/ | parse userAgent /(?<isPython>python-requests?)/ | parse userAgent /(?<isRuby>Ruby?)/ | filter message = "HTTP_REQUEST" and ispresent(userAgent) | stats count(isGo), count(isSymfony), count(isPostman), count(isJava), count(isPython), count(isRuby) by bin(1h)
- does one User Agent is represented by two or more systems (e.g. two application implemented in Java)?
- which of the User Agents are internal system and which one are external?
- why these are needing date from your application?
- why traffic distribution looks exactly like this?
Brak komentarzy:
Prze艣lij komentarz