Your First Batch

The ingest pipeline

When a Logpush batch hits your Edge ingest URL:

1. Signature verification -- Edge checks the HMAC-SHA256 signature against the source's secret
2. Stream decompression -- the gzipped NDJSON is decompressed on the fly (never buffered fully in memory)
3. Parsing -- each JSON line is validated against the expected schema; malformed lines are dropped and counted
4. Aggregation -- the batch is collapsed into one Analytics Engine write per unique dimension tuple (ASN + country + status + cache + UA + path + datacenter). A batch of 50,000 records might produce only 200 AE writes.
5. Archiving -- the original compressed batch is stored in R2 for 30 days as forensic evidence
6. Response -- you get back accepted count, rejected count, AE writes, and the compression ratio

What you'll see

After the first batch:

• Overview populates with real numbers
• Offenders shows the ASNs in your traffic
• Alerts stays empty (a single batch usually doesn't trip any detector -- you need sustained traffic)

After a few minutes of continuous Logpush delivery:

• The detectors start comparing current windows against baselines
• If anything anomalous is present, alerts will open automatically

Warmup period

New sources have a warmup window during which detectors do not evaluate:

• Fast detectors (ASN Spike, 499 Rate, Cache Bypass, UA Rotation): suppressed for 60 minutes
• Slow detectors (Slow Burn, Bot Score, TLS Weak Protocol, Path Entropy, Challenge Solving, Operation Fingerprint): suppressed for 6 hours

This warmup prevents the initial Logpush backfill from triggering hundreds of false-positive alerts. When a Logpush job is first enabled, Cloudflare sends a burst of historical data that can look like a traffic spike to detectors that have no prior baseline.

After the warmup window passes, baseline auto-calibration runs within 4 hours. These baselines are then used by the cache-bypass detector (and others) for accurate detection.