---
title: Searching for requests
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests
---

You can view a list of individual requests that have been tagged with signals and that fit into the [all or sampled](https://www.fastly.com/documentation/guides/next-gen-waf/data-storage-and-privacy/about-data-storage-and-privacy/#storage-categories) data storage category. This guide describes the different search functionality and search syntax you can use to narrow this list.

## Filtering

You can use filters to find requests that meet specific criteria. Selected values auto-populate in the [search bar](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#search-bar) where you can further modify the query.

### Next Gen Waf Control Panel

Filter options on the [Requests](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-requests#accessing-the-requests-page) page include:

- **Time:** filters the requests list based on when the requests were sent. For example, when  `2 hours` is selected, only requests that were made in the last two hours appear on the page.
- **Attack signals:** filters the requests list based on the attack signals that requests are tagged with. For example, when `Attack Tooling` is selected, only requests tagged with the `Attack Tooling` signal appear on the page.
- **Anomaly signals:** filters the requests list based on the anomaly signals that requests are tagged with. For example, when `Address Changed` is selected, only requests tagged with the `Address Changed` signal appear on the page.
- **Response codes:** filters the requests list based on the response codes associated with requests. For example, when `404` is selected, only requests with a `404` response code appear on the page.

### Fastly Control Panel

Filter options on the [Requests](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-requests#accessing-the-requests-page) page include:

- **Time menu:** filters the requests list based on when the requests were sent. For example, when  `2 hours` is selected, only requests that were made in the last two hours appear on the page.
- **[Query builder](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#query-builder):** used in conjunction with the Time menu, filters the request list by tag (a particular signal on a request) or HTTP status code.

## Search bar

You can enter free-text and explicit queries into the search bar to find requests that meet specific criteria. Explicit queries follow the `<key><operator><value>` syntax, where:

- the **[key](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#keys)** is the field to search upon.
- the **[operator](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#operators)** defines the relationship of the key to the value.
- the **value** is the specific value used to filter the requests list.

Example free-text and explicit queries are as follows:

| Free-text query         | Explicit query                    | Description                                             |
| ----------------------- | --------------------------------- | ------------------------------------------------------- |
| `/a/path/here sqli -7h` | `path:/a/path/here sqli from:-7h` | Show all SQLI in last 7 hours with this particular path |
| `RU`                    | `country:ru`                      | All recent requests from Russia                         |
| `cn 500`                | `country:cn httpcode:500`         | All recent requests from China that had a 500 error     |
| `404 233.252.0.23`      | `httpcode:404 ip:233.252.0.23`    | Recent requests from an IP that had a 404 error         |

### Keys

The keys that you can search on are as follows:

| Name             | Type    | Description                                                                                                                                                                                                                                                                                                                                                                            |
| ---------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `agent`          | string  | For On-Prem WAF deployments, the `agent` is the server hostname (or alias) for the agent (`agent:~hostname`, `agent:~appname`, `agent:hostname.appname`, or `agent:hostname-appname`). For Edge WAF deployments, the `agent` is the domain or server hostname the request is trying to access (e.g., `agent:www.example.com`).                                                         |
| `agentcode`      | integer | The agents internal response code                                                                                                                                                                                                                                                                                                                                                      |
| `bytesout`       | integer | HTTP response size in bytes                                                                                                                                                                                                                                                                                                                                                            |
| `country`        | string  | Request estimated country of origin (e.g., US, RU)                                                                                                                                                                                                                                                                                                                                     |
| `from`           | time    | Filter output with requests since a particular date. Check out the [Time](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#time) section for more information.                                                                                                                                                                                |
| `httpcode`       | integer | The response's http response code                                                                                                                                                                                                                                                                                                                                                      |
| `ip`             | string  | Single IPv4 (`ip:198.51.100.128`)<br/>Single IPv6 (`ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225`)<br/>IPv4 CIDR (`ip:198.51.100.0/24`)<br/>IPv6 CIDR (`ip:2001:0db8:1681:f16f::/64`)<br/>IPv4 range (`ip:198.51.100.0..198.51.100.255`)<br/>IPv6 range (`ip:2001:0db8:1681:f16f::` through `2001:0db8:1681:f16f:ffff:ffff:ffff:ffff`)                                                   |
| `ja3`            | string  | JA3 fingerprint                                                                                                                                                                                                                                                                                                                                                                        |
| `ja4`            | string  | JA4 fingerprint                                                                                                                                                                                                                                                                                                                                                                        |
| `list`           | string  | Clients that have triggered flagged events. `flagged` is the only supported value.                                                                                                                                                                                                                                                                                                     |
| `method`         | string  | HTTP Method (e.g., GET, POST)                                                                                                                                                                                                                                                                                                                                                          |
| `path`           | string  | Request URL path, does not include query parameters                                                                                                                                                                                                                                                                                                                                    |
| `payload`        | string  | The data that triggered a signal (i.e., the attack value)                                                                                                                                                                                                                                                                                                                              |
| `protocol`       | string  | HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0                                                                                                                                                                                                                                                                                                                                  |
| `ratelimited`    | string  | Requests that have been tagged with a specific [threshold signal](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules/) and have been rate limited. The search syntax is `ratelimited: site.<threshold-signal>`. You will need to replace `<threshold-signal>` with the name of the threshold signal that you want to search for. |
| `responsemillis` | integer | HTTP response time in milliseconds                                                                                                                                                                                                                                                                                                                                                     |
| `remotehost`     | string  | Remote hostname (`remotehost:www.example.com`) or subdomain match (`remotehost:~example.com`)                                                                                                                                                                                                                                                                                          |
| `requestheader`  | string  | [Supported request header](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#requestheader-key) (e.g., `requestheader:Accept-Encoding:gzip`)                                                                                                                                                                                                   |
| `ruleid`         | string  | The ID of a rule                                                                                                                                                                                                                                                                                                                                                                       |
| `server`         | string  | Requested server name in the http request (e.g., `example.com` if `http://example.com/name`)                                                                                                                                                                                                                                                                                           |
| `tag`            | string  | A particular signal on a request (e.g., SQLI, XSS). Check out the [Signals](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#signals) section for more information.                                                                                                                                                                           |
| `target`         | string  | Server + Path                                                                                                                                                                                                                                                                                                                                                                          |
| `sort`           | string  | Sort with `time-asc` (oldest first) or `time-desc` (most recent first)                                                                                                                                                                                                                                                                                                                 |
| `until`          | time    | Filter output with request before a particular date. Check out the [Time](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#time) section for more information.                                                                                                                                                                                |
| `useragent`      | string  | The request's user agent (browser)                                                                                                                                                                                                                                                                                                                                                     |

#### `requestheader` key

You can search on request headers using the `requestheader:<headername>:<headervalue>` syntax (e.g., `requestheader:Accept-Encoding:gzip`). Header names can be entered with or without capitalization. The `requestheader` key supports all search [operators](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests#operators) (e.g., `-requestheader:Accept-Encoding:gzip` or `requestheader:~Accept-Encoding:gz`) and the following request headers:

- `Accept`
- `Accept-Encoding`
- `Cache-Control`
- `Content-Length`
- `Content-Type`
- `Origin`
- `Referrer`
- `Sec-Ch-Ua`
- `Sec-Ch-Ua-Mobile`
- `Sec-Ch-Ua-Platform`
- `Sec-Ch-Ua-Platform-Version`
- `Sec-Ch-Ua-Arch`
- `Sec-Ch-Ua-Bitness`
- `Sec-Ch-Ua-Full-Version-List`
- `Sec-Ch-Ua-Model`
- `Sec-Fetch-Dest`
- `Sec-Fetch-Mode`
- `Sec-Fetch-Site`
- `Sec-Fetch-User`
- `Upgrade-Insecure-Requests`
- `User-Agent`
- `X-Bug-Bounty`
- `X-Forwarded-For`
- `X-Forwarded-Host`
- `X-Forwarded-Port`
- `X-Forwarded-Proto`
- `X-Forwarded-Server`
- `X-Real-Ip`

### Operators

When using operators, keep in mind the following:

- All values below can be quoted to allow for spaces.
- Adding `-` (minus) before any key negates the operation.
- Different key names function as an AND operator (`from:-1h path:/foo`).
- Multiple keys with the same name function as an OR operator (`path:/foo path:/bar` should return paths matching either `/foo` or `/bar`).

Supported operators include:

| Operator                                                                                                             | Meaning                                                                                                |
| -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| `key:value`                                                                                                          | equals                                                                                                 |
| `key:=value`                                                                                                         | equals, alternate syntax                                                                               |
| `-key:value`                                                                                                         | not equals, general negation of all operators                                                          |
| [`+key:value`](https://www.fastly.com/documentation/guides/next-gen-waf/reference/searching-for-requests/#-operator) | search results must include the specified key and its value                                            |
| `key:!=value`                                                                                                        | not equals, alternate syntax                                                                           |
| `key:>value`                                                                                                         | greater-than, integers only                                                                            |
| `key:>=value`                                                                                                        | equals or greater-than, integers only                                                                  |
| `key:<value`                                                                                                         | less-than, integers only                                                                               |
| `key:<=value`                                                                                                        | equals or less-than, integers only                                                                     |
| `key:value1..value2`                                                                                                 | in range between `value1` and `value2`, integers only. For time see `from` and `until`                 |
| `key:~value`                                                                                                         | search on the field with the terms provided                                                            |
| `key:"*value"`, `key:"value*"`, or `key:"val*ue"`                                                                    | search on a partial value (e.g., `remotehost:~"*fiber*"`). The `*` can match any number of characters. |

#### `+` operator

Use the `+` operator to find requests that include multiple instances of the same key. For example, a search for `tag:CMDEXE +tag:TRAVERSAL` returns requests tagged with both the `CMDEXE` AND the `TRAVERSAL` signal. Without the `+` operator, the `tag:CMDEXE tag:TRAVERSAL` search would return requests tagged with either the `CMDEXE` OR the `TRAVERSAL` signal.

When building search queries that use the `+` operator, keep in mind the following:

- The `+` operator only supports the `payload`, `ruleid`, and `tag` keys.
- When there is only one instance of a key in a search, the `+` operator is unnecessary. The search results will already include the key and its value. For example, both `+tag:scanner country:us` and `tag:scanner country:us` return the same requests.
- When there are two instances of the same key in a search, the placement of the `+` operator does not change the result. For example, the following searches return the same result: `+tag:suspected-bad-bot +tag:scanner`, `+tag:suspected-bad-bot tag:scanner`, and `tag:suspected-bad-bot +tag:scanner`.
- When there are multiple instances of the same key in a search, instances without the `+` operator are grouped using OR logic. For example, a search for `+tag:suspected-bad-bot tag:scanner tag:sans` looks for requests that have been tagged with both the `SUSPECTED-BAD-BOT` and `SCANNER` signals or requests that have been tagged with both the `SUSPECTED-BAD-BOT` and `SANS` signals.

### Time

Time ranges can be specified in a number of ways using the `from` and `until` keys.

Queries on the Requests page are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to find results from 2 weeks ago, your query would need to use `from:-21d until:-14d`, which would be a 7 day window. A query of just `from:-21d` would not yield any results as that would be a 21 day window.

#### Relative time

| Suffix  | Meaning                  |
| ------- | ------------------------ |
| `-5s`   | 5 seconds ago (from now) |
| `-5min` | 5 minutes ago            |
| `-5h`   | 5 hours ago              |
| `-5d`   | 5 days ago               |
| `-5w`   | 5 weeks ago              |
| `-5mon` | 5 months ago             |
| `-5y`   | 5 year ago               |

Example:

- `from:-5h`  (until now)
- `from:-5h until:-4h` (one hour range)

#### Absolute time

Absolute time is also allowed using

- Unix UTC Seconds Since Epoch
- Java/JavaScript UTC Milliseconds since Epoch
- ISO Date format `YYYYMMDD`

Example Absolute Time: Unix UTC Seconds

- `from:141384000`  (until now)
- `from:141384000 until:1413844691`

Example Absolute Time: Java/JavaScript Milliseconds UTC

- `from:141384000000`  (until now)
- `from:141384000000 until:1413844691000`

Example Absolute Date: `YYYYMMDD`

- `from:20141031`  (until now)
- `from:20141031 until:20141225`

You can also mix and match time formats:

- `from:20141031 until:-1h`

### Signals

In the search bar, you can use the `tag` key to filter requests by a specific [signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/about-signals) (e.g., SQLI, XSS).

| Signal type                    | Description                                                                                                                                                                                                                                |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| System signal                  | The search syntax is `tag:<system-signal>`. Be sure to replace `<system-signal>` with the name of the [system signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/) that you want to search for. |
| Corp (account) custom signal   | The search syntax is `tag:corp.<corp-custom-signal>`. Be sure to replace `<corp-custom-signal>` with the name of the corp (account) custom signal that you want to search for.                                                             |
| Site (workspace) custom signal | The search syntax is `tag:site.<site-custom-signal>`. Be sure to replace `<site-custom-signal>` with the name of the site (workspace) custom signal that you want to search for.                                                           |

## Query builder

> **IMPORTANT:** The Query builder is only available in the Fastly control panel, not the Next-Gen WAF control panel.

The Query builder lets you filter for requests with a specific combination of tags (e.g. NOUA) and HTTP status codes (e.g. 404, 500).

To filter results using the Query builder:

1. Use the **Time menu** to specify a time range for when requests were sent.
2. Click **Query builder**.
3. From the **Tag** and **HTTP Code** tabs, select the combinations of tags and codes you want to filter on. Your selections are populated in the search bar.

   Click **Select All** on either tab to select all tags or all HTTP codes. Click **Clear selection** on a given tab to clear selections on that tab or **Clear all** to clear all Query builder filters.
4. Exit the Query builder.
5. Click **Search**.

## Related content

- [Monitoring requests](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-requests)