Cloudflare Docs
Analytics
Cloudflare Docs
Analytics
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Analytics on GitHub
Set theme to dark (⇧+D)

Network Analytics v1 to Network Analytics v2

In early 2020, Cloudflare released the first version of the Network Analytics dashboard and its corresponding API. The second version was made available on September 13th, 2021. Users should only use the newer version, Network Analytics v2 (NAv2). Network Analytics v1 (NAv1) is planned to be deprecated on March 31st, 2022.

Before you start

Learn more about the concepts introduced in Network Analytics v2 .

Feature comparison

The following table compares the features of NAv1 and NAv2:

Feature NAv1 NAv2
Sampling rate 1/8,192 packets Varies between 1/100 and 1/10,000 packets,
depending on the mitigation service.
Sampling method Core Sample Enrichment Edge Sample Enrichment
Historical data retention method Aggregated roll-ups Adaptive Bitrate
Retention period 1-min roll-ups: 30 days
1-hour roll-ups: 6 months
1-day roll-ups: 1 year
Attack roll-ups: 1 year		 All nodes: 16 weeks
Attack mitigation systems dosd and gatebot dosd, gatebot, flowtrackd*, and Magic Firewall*
Examples of new fields n/a Rule ID
GRE tunnel ID
Packet size

* Applicable only for Magic Transit customers.

Node comparison

NAv2 uses the same API endpoint but makes use of new nodes. While NAv1 has three nodes for aggregated roll-ups for all traffic and attacks, and one node for attacks, NAv2 has one node for all traffic and attacks, and four separate nodes for attacks that vary based on the mitigation system.

Node type NAv1 NAv2 for Magic Transit NAv2 for Spectrum
Main node(s) ipFlows1mGroups
ipFlows1hGroups
ipFlows1dGroups		 magicTransitNetworkAnalyticsAdaptiveGroups spectrumNetworkAnalyticsAdaptiveGroups
Attack node(s) ipFlows1mAttacksGroups dosdNetworkAnalyticsAdaptiveGroups
dosdAttackAnalyticsAdaptiveGroups
flowtrackdNetworkAnalyticsAdaptiveGroups
magicFirewallNetworkAnalyticsAdaptiveGroups		 dosdNetworkAnalyticsAdaptiveGroups
dosdAttackAnalyticsAdaptiveGroups

Each row represents one packet sample. The data is sampled at Cloudflare’s edge at various rates . You can also query the sample rate from the nodes using the sample_interval field.

For reference information on NAv2 nodes, refer to the NAv2 node reference .

Schema comparison

Refer to NAv1 to NAv2 schema map for a mapping of schema fields from NAv1 nodes to NAv2 nodes. Follow this recommended mapping when migrating to NAv2.

Example

The following example queries the top 20 logs of traffic dropped by mitigation systems different from Magic Firewall within a given time range, ordered by destination IP address.

{
  viewer
  {
    accounts(filter: {accountTag: "<REDACTED>"})
    {
      magicTransitNetworkAnalyticsAdaptiveGroups(
        filter: {
          datetime_gt: "2021-10-01T00:00:00Z",
          datetime_lt: "2021-10-05T00:00:00Z",
          outcome_like: "drop",
          mitigationSystem_neq: "magic-firewall"
        },
        limit: 20,
        orderBy: [ipDestinationAddress_ASC])
      {
        dimensions {
          outcome
          mitigationSystem
          ipSourceAddress
          ipDestinationAddress
          ipProtocol
          destinationPort
        }
      }
    }
  }
}