---
title: Searching for requests
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests
---


You can view a list of individual requests that have been tagged with signals and that fit into the [all or sampled](/guides/next-gen-waf/data-storage-and-privacy/about-data-storage-and-privacy/#storage-categories) data storage category. This guide describes the different search functionality and search syntax you can use to narrow this list.

## Filtering

You can use filters to find requests that meet specific criteria. Selected values auto-populate in the [search bar](#search-bar) where you can further modify the query.

<!-- TabbedPanels component: 
<Panel id="next-gen-waf-control-panel">

Filter options on the [Requests](/guides/next-gen-waf/monitoring/monitoring-requests#accessing-the-requests-page) page include:

   * **Time:** filters the requests list based on when the requests were sent. For example, when  `2 hours` is selected, only requests that were made in the last two hours appear on the page.
   * **Attack signals:** filters the requests list based on the attack signals that requests are tagged with. For example, when `Attack Tooling` is selected, only requests tagged with the `Attack Tooling` signal appear on the page.
   * **Anomaly signals:** filters the requests list based on the anomaly signals that requests are tagged with. For example, when `Address Changed` is selected, only requests tagged with the `Address Changed` signal appear on the page.
   * **Response codes:** filters the requests list based on the response codes associated with requests. For example, when `404` is selected, only requests with a `404` response code appear on the page.

</Panel>
<Panel id="fastly-control-panel">

Filter options on the [Requests](/guides/next-gen-waf/monitoring/monitoring-requests#accessing-the-requests-page) page include:

   * **Time menu:** filters the requests list based on when the requests were sent. For example, when  `2 hours` is selected, only requests that were made in the last two hours appear on the page.
   * **[Query builder](#query-builder):** used in conjunction with the Time menu, filters the request list by tag (a particular signal on a request) or HTTP status code.

</Panel>
 -->

## Search bar

You can enter free-text and explicit queries into the search bar to find requests that meet specific criteria. Explicit queries follow the `<key><operator><value>` syntax, where:

* the **[key](#keys)** is the field to search upon.
* the **[operator](#operators)** defines the relationship of the key to the value.
* the **value** is the specific value used to filter the requests list.

Example free-text and explicit queries are as follows:

| Free-text query         | Explicit query                    | Description                                             |
| ----------------------- | --------------------------------- | ------------------------------------------------------- |
| `/a/path/here sqli -7h` | `path:/a/path/here sqli from:-7h` | Show all SQLI in last 7 hours with this particular path |
| `RU`                    | `country:ru`                      | All recent requests from Russia                         |
| `cn 500`                | `country:cn httpcode:500`         | All recent requests from China that had a 500 error     |
| `404 233.252.0.23`      | `httpcode:404 ip:233.252.0.23`    | Recent requests from an IP that had a 404 error         |

### Keys

The keys that you can search on are as follows:

| Name             | Type    | Description  |
|------------------|---------|--------------|
| `agent`          | string  | For On-Prem WAF deployments, the `agent` is the server hostname (or alias) for the agent (`agent:~hostname`, `agent:~appname`, `agent:hostname.appname`, or `agent:hostname-appname`). For Edge WAF deployments, the `agent` is the domain or server hostname the request is trying to access (e.g., `agent:www.example.com`).  |
| `agentcode`      | integer | The agents internal response code |
| `bytesout`       | integer | HTTP response size in bytes |
| `country`        | string  | Request estimated country of origin (e.g., US, RU)|
| `from`           | time    | Filter output with requests since a particular date. Check out the [Time](#time) section for more information. |
| `httpcode`       | integer | The response's http response code |
| `ip`             | string  | Single IPv4 (`ip:198.51.100.128`)<br/>Single IPv6 (`ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225`)<br/>IPv4 CIDR (`ip:198.51.100.0/24`)<br/>IPv6 CIDR (`ip:2001:0db8:1681:f16f::/64`)<br/>IPv4 range (`ip:198.51.100.0..198.51.100.255`)<br/>IPv6 range (`ip:2001:0db8:1681:f16f::` through `2001:0db8:1681:f16f:ffff:ffff:ffff:ffff`) |
| `ja3`            | string  | JA3 fingerprint |
| `ja4`            | string  | JA4 fingerprint |
| `list`           | string  | Clients that have triggered flagged events. `flagged` is the only supported value. |
| `method`         | string  | HTTP Method (e.g., GET, POST) |
| `path`           | string  | Request URL path, does not include query parameters |
| `payload`        | string  | The data that triggered a signal (i.e., the attack value) |
| `protocol`       | string  | HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0 |
| `ratelimited`    | string  | Requests that have been tagged with a specific [threshold signal](/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules/) and have been rate limited. The search syntax is `ratelimited: site.<threshold-signal>`. You will need to replace `<threshold-signal>` with the name of the threshold signal that you want to search for.
| `responsemillis` | integer | HTTP response time in milliseconds |
| `remotehost`     | string  | Remote hostname (`remotehost:www.example.com`) or subdomain match (`remotehost:~example.com`) |
| `requestheader`  | string  | [Supported request header](#requestheader-key) (e.g., `requestheader:Accept-Encoding:gzip`) |
| `ruleid`         | string  | The ID of a rule |
| `server`         | string  | Requested server name in the http request (e.g., `example.com` if `http://example.com/name`) |
| `tag`            | string  | A particular signal on a request (e.g., SQLI, XSS). Check out the [Signals](#signals) section for more information.  |
| `target`         | string  | Server + Path |
| `sort`           | string  | Sort with `time-asc` (oldest first) or `time-desc` (most recent first) |
| `until`          | time    | Filter output with request before a particular date. Check out the [Time](#time) section for more information. |
| `useragent`      | string  | The request's user agent (browser) |

#### `requestheader` key

You can search on request headers using the `requestheader:<headername>:<headervalue>` syntax (e.g., `requestheader:Accept-Encoding:gzip`). Header names can be entered with or without capitalization. The `requestheader` key supports all search [operators](#operators) (e.g., `-requestheader:Accept-Encoding:gzip` or `requestheader:~Accept-Encoding:gz`) and the following request headers:

* `Accept`
* `Accept-Encoding`
* `Cache-Control`
* `Content-Length`
* `Content-Type`
* `Origin`
* `Referrer`
* `Sec-Ch-Ua`
* `Sec-Ch-Ua-Mobile`
* `Sec-Ch-Ua-Platform`
* `Sec-Ch-Ua-Platform-Version`
* `Sec-Ch-Ua-Arch`
* `Sec-Ch-Ua-Bitness`
* `Sec-Ch-Ua-Full-Version-List`
* `Sec-Ch-Ua-Model`
* `Sec-Fetch-Dest`
* `Sec-Fetch-Mode`
* `Sec-Fetch-Site`
* `Sec-Fetch-User`
* `Upgrade-Insecure-Requests`
* `User-Agent`
* `X-Bug-Bounty`
* `X-Forwarded-For`
* `X-Forwarded-Host`
* `X-Forwarded-Port`
* `X-Forwarded-Proto`
* `X-Forwarded-Server`
* `X-Real-Ip`

### Operators

When using operators, keep in mind the following:

* All values below can be quoted to allow for spaces.
* Adding `-` (minus) before any key negates the operation.
* Different key names function as an AND operator (`from:-1h path:/foo`).
* Multiple keys with the same name function as an OR operator (`path:/foo path:/bar` should return paths matching either `/foo` or `/bar`).

Supported operators include:

| Operator             | Meaning                                                                                |
| ---------------------| -------------------------------------------------------------------------------------- |
| `key:value`          | equals                                                                                 |
| `key:=value`         | equals, alternate syntax                                                               |
| `-key:value`         | not equals, general negation of all operators                                          |
| [`+key:value`](/guides/next-gen-waf/reference/searching-for-requests/#-operator) | search results must include the specified key and its value |
| `key:!=value`        | not equals, alternate syntax                                                           |
| `key:>value`         | greater-than, integers only                                                            |
| `key:>=value`        | equals or greater-than, integers only                                                  |
| `key:<value`         | less-than, integers only                                                               |
| `key:<=value`        | equals or less-than, integers only                                                     |
| `key:value1..value2` | in range between `value1` and `value2`, integers only. For time see `from` and `until` |
| `key:~value`         | search on the field with the terms provided                                            |
| `key:"*value"`, `key:"value*"`, or `key:"val*ue"` | search on a partial value (e.g., `remotehost:~"*fiber*"`). The `*` can match any number of characters. |

#### `+` operator

Use the `+` operator to find requests that include multiple instances of the same key. For example, a search for `tag:CMDEXE +tag:TRAVERSAL` returns requests tagged with both the `CMDEXE` AND the `TRAVERSAL` signal. Without the `+` operator, the `tag:CMDEXE tag:TRAVERSAL` search would return requests tagged with either the `CMDEXE` OR the `TRAVERSAL` signal.

When building search queries that use the `+` operator, keep in mind the following:

* The `+` operator only supports the `payload`, `ruleid`, and `tag` keys.
* When there is only one instance of a key in a search, the `+` operator is unnecessary. The search results will already include the key and its value. For example, both `+tag:scanner country:us` and `tag:scanner country:us` return the same requests.
* When there are two instances of the same key in a search, the placement of the `+` operator does not change the result. For example, the following searches return the same result: `+tag:suspected-bad-bot +tag:scanner`, `+tag:suspected-bad-bot tag:scanner`, and `tag:suspected-bad-bot +tag:scanner`.
* When there are multiple instances of the same key in a search, instances without the `+` operator are grouped using OR logic. For example, a search for `+tag:suspected-bad-bot tag:scanner tag:sans` looks for requests that have been tagged with both the `SUSPECTED-BAD-BOT` and `SCANNER` signals or requests that have been tagged with both the `SUSPECTED-BAD-BOT` and `SANS` signals.

### Time

Time ranges can be specified in a number of ways using the `from` and `until` keys.

Queries on the Requests page are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to find results from 2 weeks ago, your query would need to use `from:-21d until:-14d`, which would be a 7 day window. A query of just `from:-21d` would not yield any results as that would be a 21 day window.

#### Relative time

| Suffix   | Meaning                   |
| -------- | ------------------------- |
| `-5s`    | 5 seconds ago (from now)  |
| `-5min`  | 5 minutes ago             |
| `-5h`    | 5 hours ago               |
| `-5d`    | 5 days ago                |
| `-5w`    | 5 weeks ago               |
| `-5mon`  | 5 months ago              |
| `-5y`    | 5 year ago                |

Example:

* `from:-5h`  (until now)
* `from:-5h until:-4h` (one hour range)

#### Absolute time

Absolute time is also allowed using

* Unix UTC Seconds Since Epoch
* Java/JavaScript UTC Milliseconds since Epoch
* ISO Date format `YYYYMMDD`

Example Absolute Time: Unix UTC Seconds

* `from:141384000`  (until now)
* `from:141384000 until:1413844691`

Example Absolute Time: Java/JavaScript Milliseconds UTC

* `from:141384000000`  (until now)
* `from:141384000000 until:1413844691000`

Example Absolute Date: `YYYYMMDD`

* `from:20141031`  (until now)
* `from:20141031 until:20141225`

You can also mix and match time formats:

* `from:20141031 until:-1h`

### Signals

In the search bar, you can use the `tag` key to filter requests by a specific [signal](/guides/next-gen-waf/signals/about-signals) (e.g., SQLI, XSS).

| Signal type                | Description |
| -------------------------- | ----------- |
| System signal              | The search syntax is `tag:<system-signal>`. Be sure to replace `<system-signal>` with the name of the [system signal](/guides/next-gen-waf/signals/using-system-signals/) that you want to search for. |
| Corp (account) custom signal   | The search syntax is `tag:corp.<corp-custom-signal>`. Be sure to replace `<corp-custom-signal>` with the name of the corp (account) custom signal that you want to search for. |
| Site (workspace) custom signal   | The search syntax is `tag:site.<site-custom-signal>`. Be sure to replace `<site-custom-signal>` with the name of the site (workspace) custom signal that you want to search for. |

## Query builder

> **IMPORTANT:** The Query builder is only available in the Fastly control panel, not the Next-Gen WAF control panel.

The Query builder lets you filter for requests with a specific combination of tags (e.g. NOUA) and HTTP status codes (e.g. 404, 500).

To filter results using the Query builder:

1. Use the **Time menu** to specify a time range for when requests were sent.
1. Click **Query builder**.
1. From the **Tag** and **HTTP Code** tabs, select the combinations of tags and codes you want to filter on. Your selections are populated in the search bar.

   Click **Select All** on either tab to select all tags or all HTTP codes. Click **Clear selection** on a given tab to clear selections on that tab or **Clear all** to clear all Query builder filters.
1. Exit the Query builder.
1. Click **Search**.

## Related content

* [Monitoring requests](/guides/next-gen-waf/monitoring/monitoring-requests)