Data set parameters

Each stream type can collect different sets of data. A data set lets you define the format of the data received by your origin server, giving you the ability to selectively choose or ignore specific parameters from log data fields.

Note: DataStream provides log data in JSON format. See Report JSON format.

Raw logs data set

Raw logs data set parameters
Group Data element Description
Message exchange data Bytes The content bytes served in the response.
Client IP The IP address of the client.
Forward hostname The hostname of the forward origin server where an edge server sends a request.
HTTP status code The HTTP response status returned to the client.
HTTP version The version of the HTTP protocol used for the transaction.
Protocol type The protocol of the monitored request-response cycle , either HTTP or HTTPS.
Protocol version The version of SSL for the request-response cycle.
Request Host The value of the Host header in the request. It specifies the domain name of the server and the TCP port number on which the server is listening. If no port is included, the default port for the service requested is implied. For example, 443 for an HTTPS URL, and 80 for an HTTP URL.

A Host header must be present in HTTP/1.1 requests. If a request lacks a Host header or has more than one, a server may respond with a 400 status code.

See Host in RFC 7230.

Request method The method of the request. For example, GET, POST, PUT, or HEAD.
Request path The path to a resource in the incoming URI. It doesn’t include query parameters.
Request port The port number for the service requested.
Response Content-Length The value of the Content-Length header in the response. It indicates the size of the entity body sent to the recipient in bytes.

See Content-Length in RFC 7230.

Response Content-Type The value of the Content-Type header in the response. It informs about the media type of the returned content.
User-Agent The value of the User-Agent header in the request. It lets edge servers identify the application, operating system, vendor, or version of the requesting user agent.
Note: To monitor this parameter in your logs, you need to update you data stream's properties to include a Log Request Details behavior that logs the User-Agent header. See Enable logging custom parameters.
Query string The query string in the incoming URI from the client.
Request header data Accept-Encoding The value of the Accept-Encoding header in the request. It informs which content encoding the client is able to understand. It usually is a compression algorithm.

The server may not compress the body of a response. It may happen with images where the data to be sent is already compressed, or the server can't afford the computational overhead caused by the compression requirement.

Accept-Language The value of the Accept-Language header in the request. It provides a list of acceptable human languages for response.

See Accept-Language in RFC 7231.

Authorization Provides credentials for HTTP authentication.
Cache-Control The directives that must be obeyed by all caching mechanisms along the request-response chain.

See Request Cache-Control Directives in RFC 7234.

Connection The control options for the current connection. It lists the hop-by-hop request headers.

See Connection in RFC 7230.

Request Content-MD5 An MD5 digest of the entity body. This digest allows for an end-to-end message integrity check (MIC) of the entity body.

See RFC 1864.

Cookie Lists the HTTP cookies previously sent by the server in the Set-Cookie field.
Note: To monitor this parameter in your logs, you need to update you data stream's properties to include a Log Request Details behavior that logs the Cookie header. See Enable logging custom parameters.

See The Cookie Header in RFC 6265.

DNT Requests a web application to disable tracking of an individual user. This is Mozilla's version of the X-Do-Not-Track header field and versions of Firefox, Safari, and IE9 support this.
Expect Indicates that the client requires particular server behaviors. A server that doesn't understand or is unable to comply with any of the values in this field responds with an appropriate error status such as a 417 Expectation Failed error response. For example, the server may reject a request if its Content-Length is too large.

See Expect in RFC 7231.

If-Match Performs an action if the client-supplied entity matches the same entity on the server. For example, when using a PUT method, a resource is only updated if it hasn't been modified since the user last updated it.

See If-Match in RFC 7232.

If-Modified-Since Determines whether the item cached is older or newer. The server returns the requested resource with a 200 status only if it has been modified after the given date. The server returns a 304 Not Modified status to requests if content is unchanged.

It's ignored when used with If-None-Match, unless the server doesn't support If-None-Match.

See If-Modified-Since in RFC 7237.

If-None-Match Determines whether the item cached is identical to the requested one. The server returns the requested resource if it matches any of the listed ETags. The server returns a 304 Not Modified status if the requested content is unchanged.

When used together with If-Modified-Since, If-None-Match takes precedence.

See If-None-Match in RFC 7323

If-Range Sends the client any parts of the entity that are missing or sends the client the full entity. This header can be used with the Last-Modified or ETag header, but not with both.

See If-Range in RFC 7233.

If-Unmodified-Since Only sends the response if the entity hasn't been modified since a specific time.

Used with If-Range, it ensures that the new requested range comes from an unmodified document.

Used with non-safe methods, it can be used to reject editions if the stored object has been modified since the original was retrieved.

See If-Unmodified-Since in RFC 7232.

Range Requests a specific part of an entity by providing a single byte range or a set of byte ranges. Bytes are numbered from 0.

See Range in RFC 7233.

Referer The address of the resource from which the requested URI was followed.
Note: To monitor this parameter in your logs, you need to update you data stream's properties to include a Log Request Details behavior that logs the Referer header. See Enable logging custom parameters

See Referer in RFC 7231.

Request time The time when the edge server accepted the request from the client.
TE The transfer encodings the user agent is willing to accept.

See TE in RFC 7230.

Upgrade Allows the client to specify what additional protocols it supports if the server needs to switch protocols. For example to upgrade an HTTP connection to use WebSocket.

See Upgrade in RFC 7230.

Via Any proxies that processed the response. It helps track message forwards, avoid request loops, and identify the protocol capabilities of senders along the request and response chain.

See Via in RFC 7230.

X-Forwarded-For The originating IP address of the client connecting to a web server through an HTTP proxy or load balancer. It helps debug, gather statistics, and generate location-dependent content and by design exposes privacy sensitive information,such as the IP address of the client.

See Forwarded For in RFC 7239.

X-Requested-With Identifies Ajax requests.
Response header data Accept-Ranges Whether the edge server supports partial requests. With an Accept-Ranges header, the client can resume interrupted download instead of downloading the resource from the beginning.

See Accept-Ranges in RFC 7233.

Access-Control-Allow-Origin Whether the response can be shared within the given origin.

See Access-Control-Allow-Origin In Fetch specification.

Age The time in seconds that the object has been in cache.

See Age in RFC 7234.

Allow Lists the request methods supported by a resource. An empty header indicates that the resource allows no request methods.

See Allow in RFC 7231.

Cache-Control Specifies the caching rules for the response.

See Response Cache-Control Directives In RFC7234.

Connection Controls whether the network connection stays open once the current request-response cycle finishes.

See Connection in RFC 7230.

Content-Disposition Indicates how the content is to be displayed, whether on a screen or as a file download.

See RFC 6266.

Content-Encoding Specifies encodings applied to the entity-body. It informs about how to decode to obtain the media-type referenced by the Content-Type header.

See Content-Encoding in RFC 7231.

Content-Language Lists the languages for the intended audiences.
Response Content-MD5 Checks the integrity of the message body.

See RFC 1864.

Content-Range Specifies where in a full body message a partial message belongs.

See Date in RFC 7233.

Date The date and time that the message originated.

See Date in RFC 7231.

ETag Identifies a specific version of a resource. It helps caches be more efficient and save bandwidth by eliminating the need to resend a full response if the content hasn't changed. Additionally, etags help prevent simultaneous updates of a resource from overwriting each other.

When used with If-Match headers, it can detect mid-air edit collisions. When used with If-None-Match, it can cache resources that are unchanged.

See ETag in RFC 7237.

Expires The date and time when the message expires. Invalid dates represent a date in the past and mean that the resource is already expired. For example, 0.

If the response includes a Cache-Control header with the max-age or s-maxage directives, the Expires header is ignored.

See Expires in RFC 7234.

Last-Modified The date and time when the resource was last modified by the origin. Conditional requests specifying the If-Modified-Since or If-Unmodified-Since headers use this header.

See Last-Modified in RFC 7232.

Link Links to a resource containing additional information.
P3P States the data that will be collected about requesting users.
Retry-After The length of time the user agent should wait before sending a follow-up request.

In a 503 (Service Unavailable) response, it indicates how long the service is expected to be unavailable.

In a 429 (Too Many Requests) response, it indicates how long to wait before making a new request.

In a redirect response, such as 301 (Moved Permanently), it indicates the minimum time that the user agent is asked to wait before issuing the redirected request.

See Retry-After in RFC 7231.

Server Information about the software that the origin server used to handle the request.

See Server in RFC 7231

Set-Cookie Allows sending cookies in the response to the user agent so it can send them back to the server later.

See Set-Cookie in RFC 6265.

Trailer Allows the sender to include additional fields at the end of chunked messages to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status.

See Trailer in RFC 7230

Transfer-Encoding Enables the use of metadata fields. It is a hop-by-hop header attached to a message between two nodes, not to a resource. Each segment of a multi-node connection can use different Transfer-Encoding values.

See Transfer-Encoding in RFC 7230.

Vary The headers used to determine whether to send the response to a subsequent request without any additional validation.

See Vary in RFC 7230.

Via The protocols used to send the response from the originating server to the requesting client.

See Via in RFC 7230.

Warning Provides information about transformations made to the message’s entity body.
WWW-Authenticate The authentication method that should be used to gain access to a resource. It is required for all 401 Unauthorized response messages.

See WWW-Authenticate in RFC 7235.

X-Powered-By The type of technology the web application uses.
Network performance data Asnum Autonomous systems number for the client request.
Client RTT The round trip time (RTT) in milliseconds from when a request goes from a client to an edge server and back again to the starting point.
Download time The time in milliseconds from when the edge server first accepts the request to when it sends the last byte, not when the client acknowledges receiving the last byte.
Download status The overall download status of an object represented by a series of four boolean values. It provides data in the following format:
<first_byte><last_byte><full_object><if_aborted>
where:
  • <first_byte> specifies whether the edge server returned the first byte of the object.
    • 1 indicates that the server returned the first byte.
    • 0 indicates that it didn’t.
  • <last_byte> specifies whether the edge server the last byte of the object.
    • 1 indicates that the server returned the last byte.
    • 0 indicates that it didn’t.
  • <full_object> specifies if the edge server returned the full requested object.
    • 1 indicates the edge server returned the requested object.
    • 0 indicates that it didn't.
    Note: Returning a full object may not always mean returning the first and last bytes of an object. When you request a range of bytes, returning a full object means returning the first and last bytes of the requested range.
  • <if_aborted> specifies whether the client aborted the transaction.
    • 1 indicates that the client aborted the transaction.
    • 0 indicates that they didn’t.
Edge IP The IP address of the edge server that served the response to the client. This is useful when resolving issues with your account representative.
Error code f29 If there is an error during forwarding requests from an edge server, a string indicating the problem is logged here.
Error code r14 If there is an error serving the request, a string indicating the problem is logged here.
Last byte The last byte of the object was served by this response. 0 would indicate part of a byte-range response.
Mid mile latency The time it takes the Akamai platform to process a request. Usually, it is the time for a complete request and response cycle, but these values could be separated.
Net origin latency The time in milliseconds from when the last byte of the request leaves the edge server that is closest to the data center to when this edge server receives the first byte of the response from the data center.

This value includes:

  • Time the origin takes to process the request before delivering the response
  • Network latency between an edge server and a data center

This value shouldn't include:

  • Time to establish the connection with the origin
    Note: If included, the origin connection time may or may not include the TCP and SSL/TLS establishment times or any possible failover and retry cycles that may have happened.
  • Network time or computing events that may have happened upstream in the Akamai transaction
Geo Area The area where the request originated.
City The city where the request originated.
Country The country where the request originated.
Latitude The latitude where the request originated.
Longitude The longitude where the request originated.
Region The region where the request originated. The region may be a state, province, or other large territory.
Zip The zip code the request was sent from.
Network data Bandwidth Specifies the bandwidth usage.
Network The network that originated the request.
Network type The type of network that originated the request.
Proxy The proxy or browser type.
Throughput The average throughput.
Cache data Cacheable Indicates whether the object was cacheable.
  • 1 indicates that the server determined, based on response headers and metadata, that the object was cacheable.
  • 0 indicates that it wasn’t.
Cache hierarchy Categorizes the bytes served to the client by the forward server type that sent them. It provides data in the following order:
<peer_server>/<parent_server>/<origin_server>/<NetStorage>/<Akamai_origin>
where:
  • <peer_server> are the bytes served by an in-region peer edge server.
  • <parent_server> are the bytes served by a parent edge server.
  • <origin_server> are the bytes served by the origin server.
  • <NetStorage> are the bytes served from NetStorage.
  • <Akamai_origin> are the bytes served by any edge server that a request was forwarded to.
Cache Hit Indicates whether the requested object was served entirely from the cache memory.
  • 1 indicates the edge server retrieved the entire object from the cache.
  • 0 indicates that the server had to fetch some bytes of the object.
Cache stats Logs the bytes served entirely from the cache. It provides data in the following format:
<bytes_from_cache>/<total_bytes_to_client>
where:
  • <bytes_from_cache> are the bytes of the object or requested range served from the cache.
  • <total_bytes_to_client> are the bytes of the object or requested range sent to the client.
    Note: For regular objects, either none or all bytes of the object come from the cache.
Cache status Specifies whether a request was a cache hit or a cache miss and indicates the server type that provided the object.
  • 0 indicates that the content was non-cacheable.
  • 1 indicates that the object was served from a child edge server.
  • 2 indicates that the object was served from an in-region peer edge server or a parent edge server.
  • 3 indicates that the object was served from the origin server.
  • 4 indicates that the response to the request had a code status other than: 200, 203, 301, 302, 410. It also indicates that the object was served from the cache.
Waf data Anom scr A comma-delimited list of anomaly scores for the triggered rules.
Note: This field's value is URL-encoded.
Deny actions The resulting actions of the deny rules triggered by the request as specified in the Deny rules field.
  • 3 indicates that the rule denied the request. See About rules in the Cloud Monitor Help.
Note: This field's value is URL-encoded.
Deny data Additional information about the risk group that triggered the deny action.
Note: This field's value is URL and Base64-encoded to prevent control characters from impacting parsing.
Deny msg The messages reported by the deny rules triggered by the request. This is a semicolon-delimited list.
Note: This field's value is URL-encoded.

See About rules in the Cloud Monitor Help.

Deny rules Identifiers of all deny rules triggered by the request. This is a colon-delimited list.

See About rules in the Cloud Monitor Help.

Deny slrs The locations in the request that triggered each deny rule. This is a semicolon-delimited list.
P action The resulting action for a slow POST attack, either W for warn, or A for deny (abort).
Policy id The identifier of the firewall policy applied to the request.

See Security policies in the Cloud Security Help.

P rate The recorded rate in bytes per second of a slow POST attack.
Risk groups Risk groups whose rule thresholds have been triggered. This is a colon-delimited list.

See KONA WAF rules.

Risk tuples Identifiers of the rules triggered within each risk group from the Risk groups field. Within a colon-delimited risk group, multiple rules are hyphen-delimited.
Risk scores Risk scores of each triggered rule from the Risk tuples field. Within a colon-delimited risk group, each rule’s score is hyphen-delimited.
Waf version The version of a Web Application Firewall (WAF) data set. This is version 2.0.

See Update rule set in the Cloud Monitor Help.

Warn actions The resulting actions of the warn rules triggered by the request as specified in the Warn rules field. This is a colon-delimited list.
  • 2 indicates that the rule logged an alert. See About rules in the Cloud Monitor Help.
Note: This field's value is URL-encoded.
Warn data The user data of the triggered rules from the Warn rules field. User data is a specific string within a selector that triggered the rule. This is a colon-delimited list.
Note: This field's value is URL and Base64-encoded to prevent control characters from impacting parsing.

See About rules in the Cloud Monitor Help.

Warn msg The messages reported by the warn rules triggered by the request.

This is a semicolon-delimited list.

Note: This field's value is URL-encoded.

See About rules in the Cloud Monitor Help.

Warn rules Identifiers of the rules triggered by the request. This is a semicolon-delimited list.

See About rules in the Cloud Monitor Help.

Warn slrs The selectors of the triggered rules from the Warn rules field. A selector is the location of the request or response that triggered the rule, such as the name of an HTTP header. This is a semicolon-delimited list.
Warn tags The tags of the triggered rules from the Warn rules field . Tags are used for classification and categorization. This is a semicolon-delimited

See KONA WAF rules.

Aggregated metrics data set

Aggregated metrics data set parameters
Group Metric Description Example
Edge response time Edge response time Specifies the latency observed for requests that results from:
  • a cache-hit at Akamai
  • a cache-miss at Akamai
  • a cache-hit at child or parent level
  • a cache-miss at child or parent level
  • non-cacheable requests
"edgeResponseTime": 8.46
HTTP status code
  • 2xx
  • 3xx
  • 4xx
  • 5xx
The count of requests that resulted in 2xx, 3xx, 4xx, and 5xx status codes.
Note: Apart from aggregating status codes for each category, DataStream also returns x_dist member to show the distribution of specific status codes within these categories.
"2xx": 53, 
"2xx_dist": {
   "200": 53
} 
Traffic volumes Requests per second Specifies the requests sent per second to the edge server.
"bytesPerSecond": 29558.67
Bytes per second Specifies the bytes per second received from the edge server.
"requestsPerSecond": 0.88
CDN offload Cache Hits Specifies the count of requests that were cache hits.
"numCacheHit": 53
            
Cache misses Specifies the count of requests that were cache misses.
"numCacheMiss": 0
            
Offload rate Specifies the offload rate over the period.
"offloadRate": 100.0
Origin response time The time in milliseconds from when the last byte of the request leaves the edge server that is closest to the data center to when this edge server receives the first byte of the response from the data center.

This value includes:

  • Time the origin takes to process the request before delivering the response
  • Network latency between an edge server and a data center

This value shouldn't include:

  • Time to establish the connection with the origin
    Note: If included, the origin connection time may or may not include the TCP and SSL/TLS establishment times or any possible failover and retry cycles that may have happened.
  • Network time or computing events that may have happened upstream in the Akamai transaction
"originResponseTime": 0