Skip to content

Network Analytics v1 to Network Analytics v2

In early 2020, Cloudflare released the first version of the Network Analytics dashboard and its corresponding API. The second version (Network Analytics v2) was made available on 2021-09-13.

Before you start

Learn more about the concepts introduced in Network Analytics v2.

Feature comparison

The following table compares the features of NAv1 and NAv2:

FeatureNAv1NAv2
Sampling rate1/8,192 packetsVaries between 1/100 and 1/1,000,000 packets,
depending on the mitigation service.
Sampling methodCore Sample EnrichmentEdge Sample Enrichment
Historical data retention methodAggregated roll-upsAdaptive Bit Rate
Retention period1-min roll-ups: 30 days
1-hour roll-ups: 6 months
1-day roll-ups: 1 year
Attack roll-ups: 1 year
All nodes: 16 weeks
Attack mitigation systemsdosddosd, flowtrackd*, and Magic Firewall*
Examples of new fieldsn/aRule ID
GRE tunnel ID
Packet size

* Applicable only for Magic Transit customers.

For more information on the differences in terms of sampling method and historical data retention, refer to Main differences between Network Analytics v1 and v2.

Node comparison

NAv2 uses the same API endpoint but makes use of new nodes. While NAv1 has three nodes for aggregated roll-ups for all traffic and attacks, and one node for attacks, NAv2 has one node for all traffic and attacks, and four separate nodes for attacks that vary based on the mitigation system.

Node typeNAv1NAv2 for Magic TransitNAv2 for Spectrum
Main node(s)ipFlows1mGroups
ipFlows1hGroups
ipFlows1dGroups
magicTransitNetworkAnalyticsAdaptiveGroupsspectrumNetworkAnalyticsAdaptiveGroups
Attack node(s)ipFlows1mAttacksGroupsdosdNetworkAnalyticsAdaptiveGroups
dosdAttackAnalyticsGroups
flowtrackdNetworkAnalyticsAdaptiveGroups
magicFirewallNetworkAnalyticsAdaptiveGroups
dosdNetworkAnalyticsAdaptiveGroups
dosdAttackAnalyticsGroups

Each row represents one packet sample. The data is sampled at Cloudflare’s edge at various rates. You can also query the sample rate from the nodes using the sample_interval field.

For reference information on NAv2 nodes, refer to the NAv2 node reference.

Schema comparison

Refer to NAv1 to NAv2 schema map for a mapping of schema fields from NAv1 nodes to NAv2 nodes. Follow this recommended mapping when migrating to NAv2.

Example

The following example queries the top 20 logs of traffic dropped by mitigation systems different from Magic Firewall within a given time range, ordered by destination IP address.

{
viewer
{
accounts(filter: {accountTag: "<REDACTED>"})
{
magicTransitNetworkAnalyticsAdaptiveGroups(
filter: {
datetime_gt: "2021-10-01T00:00:00Z",
datetime_lt: "2021-10-05T00:00:00Z",
outcome_like: "drop",
mitigationSystem_neq: "magic-firewall"
},
limit: 20,
orderBy: [ipDestinationAddress_ASC])
{
dimensions {
outcome
mitigationSystem
ipSourceAddress
ipDestinationAddress
ipProtocol
destinationPort
}
}
}
}
}

Final remarks

The mitigationSystem field can take one the following values: