Analytics Release Notes

Radar introduces HTTP Origins insights

Radar introduces HTTP Origins insights, providing visibility into the status of traffic between Cloudflare's global network and cloud-based origin infrastructure.

The new Origins API provides provides the following endpoints:

• /origins - Lists all origins (cloud providers and associated regions).
• /origins/{origin} - Retrieves information about a specific origin (cloud provider).
• /origins/timeseries - Retrieves normalized time series data for a specific origin, including the following metrics:
  • REQUESTS: Number of requests
  • CONNECTION_FAILURES: Number of connection failures
  • RESPONSE_HEADER_RECEIVE_DURATION: Duration of the response header receive
  • TCP_HANDSHAKE_DURATION: Duration of the TCP handshake
  • TCP_RTT: TCP round trip time
  • TLS_HANDSHAKE_DURATION: Duration of the TLS handshake
• /origins/summary - Retrieves HTTP requests to origins summarized by a dimension.
• /origins/timeseries_groups - Retrieves timeseries data for HTTP requests to origins grouped by a dimension.

The following dimensions are available for the summary and timeseries_groups endpoints:

• region: Origin region
• success_rate: Success rate of requests (2XX versus 5XX response codes)
• percentile: Percentiles of metrics listed above

Additionally, the Annotations and Traffic Anomalies APIs have been extended to support origin outages and anomalies, enabling automated detection and alerting for origin infrastructure issues.

Check out the new Radar page ↗.

New Cloudflare datasets in Log Explorer

We've significantly enhanced Log Explorer by adding support for 14 additional Cloudflare product datasets.
This expansion enables Operations and Security Engineers to gain deeper visibility and telemetry across a wider range of Cloudflare services. By integrating these new datasets, users can now access full context to efficiently investigate security incidents, troubleshoot application performance issues, and correlate logged events across different layers (like application and network) within a single interface. This capability is crucial for a complete and cohesive understanding of event flows across your Cloudflare environment.

The newly supported datasets include:

Zone Level

• Dns_logs
• Nel_reports
• Page_shield_events
• Spectrum_events
• Zaraz_events

Account Level

• Audit Logs
• Audit_logs_v2
• Biso_user_actions
• DNS firewall logs
• Email_security_alerts
• Magic Firewall IDS
• Network Analytics
• Sinkhole HTTP
• ipsec_logs

Note
Auditlog and Auditlog_v2 datasets require audit-log.read permission for querying.
The biso_user_actions dataset requires either the Super Admin or ZT PII role for querying.

Example: Correlating logs

You can now use Log Explorer to query and filter with each of these datasets. For example, you can identify an IP address exhibiting suspicious behavior in the FW_event logs, and then instantly pivot to the Network Analytics logs or Access logs to see its network-level traffic profile or if it bypassed a corporate policy.

To learn more and get started, refer to the Log Explorer documentation and the Cloudflare Logs documentation .

We've resolved a bug in Log Explorer that caused inconsistencies between the custom SQL date field filters and the date picker dropdown. Previously, users attempting to filter logs based on a custom date field via a SQL query sometimes encountered unexpected results or mismatching dates when using the interactive date picker.

This fix ensures that the custom SQL date field filters now align correctly with the selection made in the date picker dropdown, providing a reliable and predictable filtering experience for your log data. This is particularly important for users creating custom log views based on time-sensitive fields.

New DEX and WARP Logpush data sets

Digital Experience Monitoring (DEX) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment. We've released four new WARP and DEX device data sets that can be exported via Cloudflare Logpush. These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience.

• DEX Application Tests
• DEX Device State Events
• WARP Config Changes
• WARP Toggle Changes

Getting started with Logpush

To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started.

You can now perform more powerful queries directly in Workers Analytics Engine with a major expansion of our SQL function library.

Workers Analytics Engine allows you to ingest and store high-cardinality data at scale (such as custom analytics) and query your data through a simple SQL API.

New aggregate functions

• countIf() - count the number of rows which satisfy a provided condition
• sumIf() - calculate a sum from rows which satisfy a provided condition
• avgIf() - calculate an average from rows which satisfy a provided condition

New date and time functions

• toYear()
• toMonth()
• toDayOfMonth()
• toDayOfWeek()
• toHour()
• toMinute()
• toSecond()
• toStartOfYear()
• toStartOfMonth()
• toStartOfWeek()
• toStartOfDay()
• toStartOfHour()
• toStartOfFifteenMinutes()
• toStartOfTenMinutes()
• toStartOfFiveMinutes()
• toStartOfMinute()
• today()
• toYYYYMM()

Ready to get started?

Whether you're building usage-based billing systems, customer analytics dashboards, or other custom analytics, these functions let you get the most out of your data.

Get started with Workers Analytics Engine and explore all available functions in our SQL reference documentation.

Log Explorer: Resize custom SQL query window

We're excited to announce a quality-of-life improvement for Log Explorer users. You can now resize the custom SQL query window to accommodate longer and more complex queries.

Previously, if you were writing a long custom SQL query, the fixed-size window required excessive scrolling to view the full query. This update allows you to easily drag the bottom edge of the query window to make it taller. This means you can view your entire custom query at once, improving the efficiency and experience of writing and debugging complex queries.

To learn more and get started, refer to the Log Explorer documentation.

Logpush Health Dashboards

We’re excited to introduce Logpush Health Dashboards, giving customers real-time visibility into the status, reliability, and performance of their Logpush jobs. Health dashboards make it easier to detect delivery issues, monitor job stability, and track performance across destinations. The dashboards are divided into two sections:

• Upload Health: See how much data was successfully uploaded, where drops occurred, and how your jobs are performing overall. This includes data completeness, success rate, and upload volume.

• Upload Reliability – Diagnose issues impacting stability, retries, or latency, and monitor key metrics such as retry counts, upload duration, and destination availability.

Health Dashboards can be accessed from the Logpush page in the Cloudflare dashboard at the account or zone level, under the Health tab. For more details, refer to our Logpush Health Dashboards documentation, which includes a comprehensive troubleshooting guide to help interpret and resolve common issues.

Zero Trust Logpush Permissions Update

Permissions for managing Logpush jobs related to Zero Trust datasets (Access, Gateway, and DEX) have been updated to improve data security and enforce appropriate access controls.

To view, create, update, or delete Logpush jobs for Zero Trust datasets, users must now have both of the following permissions:

• Logs Edit
• Zero Trust: PII Read

Note

Update your UI, API or Terraform configurations to include the new permissions. Requests to Zero Trust datasets will fail due to insufficient access without the additional permission.