Automatic Index Cloudfront Logs

Hydrolix is able to automatically import batch data from AWS S3.

In this blog post we’ll see how we use this feature to index Cloudfront logs into Hydrolix.

Setting up access to S3 Bucket

When we deploy a new hydrolix cluster by default it only has access to a single S3 bucket, the one where we’ll store the data.

The batch peer needs to have access to your S3 bucket to be able to pull the logs, we’ll use the command hdxctl to update the bucket-allowlist and include the S3 repository, for example:

hdxctl update hdxcli-xxxxx hdx-yyyyy --bucket-allowlist "your_s3_repo"

1	hdxctl update hdxcli-xxxxx hdx-yyyyy --bucket-allowlist "your_s3_repo"

If your S3 bucket is encrypted, you need to specify the KMS ARN to decrypt it using --batch-bucket-kms-arn:

hdxctl update hdxcli-xxxxx hdx-yyyyy --batch-bucket-kms-arn "arn"

1	hdxctl update hdxcli-xxxxx hdx-yyyyy --batch-bucket-kms-arn "arn"

Creating your project and table

Let’s create a new project and a new table to index the data.
For this example, we create a new project called aws and within that project we create a new table called cloudfront.

The table will have specific settings for AutoIngest where we specify the S3 Bucket pattern we are matching to ingest data.

In my example the logs are sent to my bucket docs-access-logs in the folder cf.

I’m using a regex to specify that I only want file extension gz.
For more details you can check our documentation.

Project and table creation code

<span style="color: #6a9955;" class="ugb-highlight">### Global variable to replace with your own needs</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">base_url</span> = <span style="color: #ce9178;" class="ugb-highlight">https://host.hydrolix.live/config/v1/</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">username</span> = <span style="color: #ce9178;" class="ugb-highlight">username@email.com</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">password</span> = <span style="color: #ce9178;" class="ugb-highlight">mysuperpassword</span>
<span style="color: #6a9955;" class="ugb-highlight">### See our documentation the proper pattern s3 bucket pattern: https://docs.hydrolix.io/guide/alt_ingest/file-streams#file-streams-aka-auto-ingest</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">s3bucket</span> = <span style="color: #ce9178;" class="ugb-highlight">^s3://docs-access-logs/cf/*.gz</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">projectname</span> = <span style="color: #ce9178;" class="ugb-highlight">aws</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">tablename</span> = <span style="color: #ce9178;" class="ugb-highlight">cloudfront</span>
 
<span style="color: #6a9955;" class="ugb-highlight">### Login authentication get access token  and UUID Org variable</span>
<span style="color: #6a9955;" class="ugb-highlight">#</span> <span style="color: #9cdcfe;" class="ugb-highlight">@name</span> <span style="color: #4ec9b0;" class="ugb-highlight">login</span>
<span style="color: #c586c0;" class="ugb-highlight">POST</span> {{base_url}}login
<span style="color: #569cd6;" class="ugb-highlight">Content-Type</span>: <span style="color: #ce9178;" class="ugb-highlight">application/json</span>
 
{
   "<span style="color: #9cdcfe;" class="ugb-highlight">username</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{username}}</span>",
   "<span style="color: #9cdcfe;" class="ugb-highlight">password</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{password}}</span>"
}
<span style="color: #6a9955;" class="ugb-highlight">### Store, parse the login response body to store the access token and organization id</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">access_token</span> = <span style="color: #ce9178;" class="ugb-highlight">{{login.response.body.auth_token.access_token}}</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">org_id</span> = <span style="color: #ce9178;" class="ugb-highlight">{{login.response.body.orgs[0].uuid}}</span>
 
 
 
<span style="color: #6a9955;" class="ugb-highlight">### Create a new project named aws
#</span> <span style="color: #9cdcfe;" class="ugb-highlight">@name</span> <span style="color: #4ec9b0;" class="ugb-highlight">new_project</span>
<span style="color: #c586c0;" class="ugb-highlight">POST</span>  {{base_url}}orgs/{{org_id}}/projects/
<span style="color: #569cd6;" class="ugb-highlight">Authorization</span>: <span style="color: #ce9178;" class="ugb-highlight">Bearer {{access_token}}</span>
<span style="color: #569cd6;" class="ugb-highlight">Content-Type</span>: <span style="color: #ce9178;" class="ugb-highlight">application/json</span>
 
{
   "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{projectname}}</span>",
   "<span style="color: #9cdcfe;" class="ugb-highlight">org</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{org_id}}</span>"
}
<span style="color: #6a9955;" class="ugb-highlight">### Store, parse project ID from response</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">projectid</span> = <span style="color: #ce9178;" class="ugb-highlight">{{new_project.response.body.uuid}}</span>
 
 
<span style="color: #6a9955;" class="ugb-highlight">### Create a new table named {{tablename}} in the {{projectname}} project, auto-ingest cloudfront logs using SQS notification
#</span> <span style="color: #9cdcfe;" class="ugb-highlight">@name</span> <span style="color: #4ec9b0;" class="ugb-highlight">new_table</span>
<span style="color: #c586c0;" class="ugb-highlight">POST</span>  {{base_url}}orgs/{{org_id}}/projects/{{projectid}}/tables/
<span style="color: #569cd6;" class="ugb-highlight">Authorization</span>: <span style="color: #ce9178;" class="ugb-highlight">Bearer {{access_token}}</span>
<span style="color: #569cd6;" class="ugb-highlight">Content-Type</span>: <span style="color: #ce9178;" class="ugb-highlight">application/json</span>
 
{
   "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{tablename}}</span>",
   "<span style="color: #9cdcfe;" class="ugb-highlight">project</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{projectid}}</span>",
   "<span style="color: #9cdcfe;" class="ugb-highlight">description</span>": "<span style="color: #ce9178;" class="ugb-highlight">Auto Ingest Cloudfront logs from S3 Bucket</span>",
   "<span style="color: #9cdcfe;" class="ugb-highlight">settings</span>": {
       "<span style="color: #9cdcfe;" class="ugb-highlight">autoingest</span>": {
           "<span style="color: #9cdcfe;" class="ugb-highlight">enabled</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>,
           "<span style="color: #9cdcfe;" class="ugb-highlight">pattern</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{s3bucket}}</span>",
           "<span style="color: #9cdcfe;" class="ugb-highlight">max_rows_per_partition</span>": <span style="color: #b5cea8;" class="ugb-highlight">1000000</span>,
           "<span style="color: #9cdcfe;" class="ugb-highlight">max_minutes_per_partition</span>": <span style="color: #b5cea8;" class="ugb-highlight">15</span>,
           "<span style="color: #9cdcfe;" class="ugb-highlight">input_aggregation</span>": <span style="color: #b5cea8;" class="ugb-highlight">4</span>
       }
   }
}
<span style="color: #6a9955;" class="ugb-highlight">### Store, parse table ID from response</span>
<span style="color: #569cd6;" class="ugb-highlight">@</span><span style="color: #9cdcfe;" class="ugb-highlight">tableid</span> = <span style="color: #ce9178;" class="ugb-highlight">{{new_table.response.body.uuid}}</span>

### Global variable to replace with your own needs

@base_url = https://host.hydrolix.live/config/v1/

@username = username@email.com

@password = mysuperpassword

### See our documentation the proper pattern s3 bucket pattern: https://docs.hydrolix.io/guide/alt_ingest/file-streams#file-streams-aka-auto-ingest

@s3bucket = ^s3://docs-access-logs/cf/*.gz

@projectname = aws

@tablename = cloudfront

### Login authentication get access token and UUID Org variable

# @name login

POST {{base_url}}login

Content-Type: application/json

{

"username": "{{username}}",

"password": "{{password}}"

}

### Store, parse the login response body to store the access token and organization id

@access_token = {{login.response.body.auth_token.access_token}}

@org_id = {{login.response.body.orgs[0].uuid}}

### Create a new project named aws

# @name new_project

POST {{base_url}}orgs/{{org_id}}/projects/

Authorization: Bearer {{access_token}}

Content-Type: application/json

{

"name": "{{projectname}}",

"org": "{{org_id}}"

}

### Store, parse project ID from response

@projectid = {{new_project.response.body.uuid}}

### Create a new table named {{tablename}} in the {{projectname}} project, auto-ingest cloudfront logs using SQS notification

# @name new_table

POST {{base_url}}orgs/{{org_id}}/projects/{{projectid}}/tables/

Authorization: Bearer {{access_token}}

Content-Type: application/json

{

"name": "{{tablename}}",

"project": "{{projectid}}",

"description": "Auto Ingest Cloudfront logs from S3 Bucket",

"settings": {

"autoingest": {

"enabled": true,

"pattern": "{{s3bucket}}",

"max_rows_per_partition": 1000000,

"max_minutes_per_partition": 15,

"input_aggregation": 4

}

### Store, parse table ID from response

@tableid = {{new_table.response.body.uuid}}

Creating the transform

Cloudfront log format is defined here as you can see they split the date and hour into 2 separate fields, so in our transformation we are going to create a virtual field which is the concatenation of the 2 fields.

You can find more information on scripted field support here.

As the data is compressed using gzip we also need to specify that the compression is gzip.

And finally the logs in Cloudfront contain 2 comments at the top of each file that we need to ignore.

Full transform for Cloudfront logs

<span style="color: #6a9955;" class="ugb-highlight">#### Creates a a transform for the csv format and upload to our table</span>
<span style="color: #6a9955;" class="ugb-highlight">#</span> @name <span style="color: #4ec9b0;" class="ugb-highlight">new_transform</span>
<span style="color: #c586c0;" class="ugb-highlight">POST</span> {{base_url}}orgs/{{org_id}}/projects/{{projectid}}/tables/{{tableid}}/transforms/
<span style="color: #569cd6;" class="ugb-highlight">Authorization</span>: <span style="color: #ce9178;" class="ugb-highlight">Bearer {{access_token}}</span>
<span style="color: #569cd6;" class="ugb-highlight">Content-Type</span>: <span style="color: #ce9178;" class="ugb-highlight">application/json</span>
 
{
 "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">aws_cloudfront_transform</span>",
 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">csv</span>",
 "<span style="color: #9cdcfe;" class="ugb-highlight">table</span>": "<span style="color: #ce9178;" class="ugb-highlight">{{tableid}}</span>",
 "<span style="color: #9cdcfe;" class="ugb-highlight">settings</span>": {
     "<span style="color: #9cdcfe;" class="ugb-highlight">is_default</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>,
     "<span style="color: #9cdcfe;" class="ugb-highlight">compression</span>": "<span style="color: #ce9178;" class="ugb-highlight">gzip</span>",
     "<span style="color: #9cdcfe;" class="ugb-highlight">output_columns</span>": [
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "timestamp",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">0</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">datetime</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">script</span>": "<span style="color: #ce9178;" class="ugb-highlight">new Date(row['date'] +' '+ row['hour'])</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">format</span>": "<span style="color: #ce9178;" class="ugb-highlight">2006-01-02 15:04:05</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">virtual</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>,
                 "<span style="color: #9cdcfe;" class="ugb-highlight">primary</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">date</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">0</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">hour</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">1</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-edge-location</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">2</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">bytes_server_to_client</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">3</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">clientip</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">4</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">method</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">5</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">host</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">6</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">url</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">7</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">status</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">8</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">referer</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">9</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">user-agent</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">10</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">query-string</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">11</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">cookie</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">12</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-edge-result-typ</span>e",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">13</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-edge-request-id</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">14</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-host-header</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">15</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">protocol</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">16</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">bytes_client_to_server</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">17</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">time-taken</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">18</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-forwarded-for</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">19</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">ssl-protocol</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">20</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">ssl-cipher</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">21</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-edge-response-result-type</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">22</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">protocol-version</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">23</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">fle-status</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">24</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">fle-encrypted-fields</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">25</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">client_port</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">26</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">ttfb</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">27</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">x-edge-detailed-result-type</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">28</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">content-type-response</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">29</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">string</span>",
                 "<span style="color: #9cdcfe;" class="ugb-highlight">index</span>": <span style="color: #569cd6;" class="ugb-highlight">true</span>
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">content-length-response</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">30</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">content-range-response-start</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">31</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         },
         {
             "<span style="color: #9cdcfe;" class="ugb-highlight">name</span>": "<span style="color: #ce9178;" class="ugb-highlight">content-range-response-end</span>",
             "<span style="color: #9cdcfe;" class="ugb-highlight">position</span>": <span style="color: #b5cea8;" class="ugb-highlight">32</span>,
             "<span style="color: #9cdcfe;" class="ugb-highlight">datatype</span>": {
                 "<span style="color: #9cdcfe;" class="ugb-highlight">type</span>": "<span style="color: #ce9178;" class="ugb-highlight">uint64</span>"
             }
         }
     ],
     "<span style="color: #9cdcfe;" class="ugb-highlight">format_details</span>": {
         "<span style="color: #9cdcfe;" class="ugb-highlight">skip_head</span>": <span style="color: #b5cea8;" class="ugb-highlight">2</span>,
         "<span style="color: #9cdcfe;" class="ugb-highlight">delimiter</span>": "<span style="color: #ce9178;" class="ugb-highlight">\t</span>"
     }
 }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

#### Creates a a transform for the csv format and upload to our table

# @name new_transform

POST {{base_url}}orgs/{{org_id}}/projects/{{projectid}}/tables/{{tableid}}/transforms/

Authorization: Bearer {{access_token}}

Content-Type: application/json

{

"name": "aws_cloudfront_transform",

"type": "csv",

"table": "{{tableid}}",

"settings": {

"is_default": true,

"compression": "gzip",

"output_columns": [

{

"name": "timestamp",

"position": 0,

"datatype": {

"type": "datetime",

"script": "new Date(row['date'] +' '+ row['hour'])",

"format": "2006-01-02 15:04:05",

"virtual": true,

"primary": true

}

{

"name": "date",

"position": 0,

"datatype": {

"type": "string",

"index": true

}

{

"name": "hour",

"position": 1,

"datatype": {

"type": "string",

"index": true

}

{

"name": "x-edge-location",

"position": 2,

"datatype": {

"type": "string",

"index": true

}

{

"name": "bytes_server_to_client",

"position": 3,

"datatype": {

"type": "uint64"

}

{

"name": "clientip",

"position": 4,

"datatype": {

"type": "string",

"index": true

}

{

"name": "method",

"position": 5,

"datatype": {

"type": "string",

"index": true

}

{

"name": "host",

"position": 6,

"datatype": {

"type": "string",

"index": true

}

{

"name": "url",

"position": 7,

"datatype": {

"type": "string",

"index": true

}

{

"name": "status",

"position": 8,

"datatype": {

"type": "string",

"index": true

}

{

"name": "referer",

"position": 9,

"datatype": {

"type": "string",

"index": true

}

{

"name": "user-agent",

"position": 10,

"datatype": {

"type": "string",

"index": true

}

{

"name": "query-string",

"position": 11,

"datatype": {

"type": "string",

"index": true

}

{

"name": "cookie",

"position": 12,

"datatype": {

"type": "string",

"index": true

}

{

"name": "x-edge-result-type",

"position": 13,

"datatype": {

"type": "string",

"index": true

}

{

"name": "x-edge-request-id",

"position": 14,

"datatype": {

"type": "string",

"index": true

}

{

"name": "x-host-header",

"position": 15,

"datatype": {

"type": "string",

"index": true

}

{

"name": "protocol",

"position": 16,

"datatype": {

"type": "string",

"index": true

}

{

"name": "bytes_client_to_server",

"position": 17,

"datatype": {

"type": "uint64"

}

{

"name": "time-taken",

"position": 18,

"datatype": {

"type": "uint64"

}

{

"name": "x-forwarded-for",

"position": 19,

"datatype": {

"type": "string",

"index": true

}

{

"name": "ssl-protocol",

"position": 20,

"datatype": {

"type": "string",

"index": true

}

{

"name": "ssl-cipher",

"position": 21,

"datatype": {

"type": "string",

"index": true

}

{

"name": "x-edge-response-result-type",

"position": 22,

"datatype": {

"type": "string",

"index": true

}

{

"name": "protocol-version",

"position": 23,

"datatype": {

"type": "string",

"index": true

}

{

"name": "fle-status",

"position": 24,

"datatype": {

"type": "string",

"index": true

}

{

"name": "fle-encrypted-fields",

"position": 25,

"datatype": {

"type": "string",

"index": true

}

{

"name": "client_port",

"position": 26,

"datatype": {

"type": "uint64"

}

{

"name": "ttfb",

"position": 27,

"datatype": {

"type": "uint64"

}

{

"name": "x-edge-detailed-result-type",

"position": 28,

"datatype": {

"type": "string",

"index": true

}

{

"name": "content-type-response",

"position": 29,

"datatype": {

"type": "string",

"index": true

}

{

"name": "content-length-response",

"position": 30,

"datatype": {

"type": "uint64"

}

{

"name": "content-range-response-start",

"position": 31,

"datatype": {

"type": "uint64"

}

{

"name": "content-range-response-end",

"position": 32,

"datatype": {

"type": "uint64"

}

"format_details": {

"skip_head": 2,

"delimiter": "\t"

}

The full example is available in our GitLab repository, if you need details on how to use this you should read the post regarding VSCode.

For Hydrolix everything is now ready to ingest the cloudfront logs.

Now we need to use notification from the S3 bucket using SQS to let the batch-peer know that new files are available to pick up.

Configure S3 notification

Now that everything is set up on Hydrolix the last remaining part is to configure Notification from your S3 bucket to SQS.

Log into your AWS console and click on the S3 bucket you are using to store your cloudfront logs and click on Properties:

Scroll down to Notifications and create a new notification:

In the notification tab specify the path where cloudfront data are stored and the file extension gz.

Select Event Types: All object create events

Scroll down to the destination and select SQS queue and choose the queue called hdxcli-YYYY-autoingest:

And that’s it!

Hydrolix is now ingesting new Cloudfront logs as soon as we are notified via SQS!

Share Now

HYDROLIX BLOG

Ponderings, insights and industry updates

Recent Blog Posts