All Products
Search

This Product

    Simple Log Service:Log analysis overview

    Document Center

    Simple Log Service:Log analysis overview

    Last Updated:Jun 20, 2024

    Simple Log Service provides the log analysis feature. This feature works together with the log search feature and is implemented by using SQL syntax. This topic describes the syntax and limits of the analytic statements. This topic also provides SQL functions that you can call when you use the log analysis feature.

    Important

    • If you want to analyze logs, you must store the logs in a Standard Logstore and turn on Enable Analytics for the required fields when you configure indexes. For more information, see Logstore comparison by type and Create indexes.

    • Simple Log Service provides reserved fields. For more information about how to analyze reserved fields, see Reserved fields.

    Syntax

    Each query statement consists of a search statement and an analytic statement. The search statement and the analytic statement are separated by a vertical bar (|). A search statement can be executed alone. However, an analytic statement must be executed together with a search statement. You can use the log analysis feature to analyze the data in search results. You can also use the feature to analyze all data in a Logstore.

    Important

    • You do not need to specify the FROM or WHERE clause in an analytic statement. By default, all data of the current Logstore is analyzed.

    • You do not need to append a semicolon (;) to an analytic statement as the statement terminator.

    • Analytic statements are not case-sensitive.

    • Syntax 

      Search statement|Analytic statement

      Statement

      Description

      Search statement

      A search statement specifies one or more search conditions. A condition can be a keyword, a numeric value, a numeric value range, a space character, or an asterisk (*).

      If you specify a space character or an asterisk (*) as the search statement, no conditions are specified and all logs are returned. For more information, see Search syntax.

      Analytic statement

      An analytic statement is used to aggregate or analyze search results or all data in a Logstore.

    • Example 

      * | SELECT status, count(*) AS PV GROUP BY status

    Limits

    Item

    Standard SQL

    Dedicated SQL

    Number of concurrent analytic statements

    Each project supports a maximum of 15 concurrent analytic statements.

    For example, 15 users can concurrently execute analytic statements in all Logstores of a project.

    Each project supports a maximum of 100 concurrent analytic statements.

    For example, 100 users can concurrently execute analytic statements in all Logstores of a project.

    Data volume

    Each shard supports only 1 GB of data for a single analytic statement.

    An analytic statement can scan a maximum of 200 billion rows of data at the same time.

    Method to enable

    By default, Standard SQL is enabled.

    A switch is provided for you to manually enable Dedicated SQL. For more information, see Enable Dedicated SQL.

    Resource usage fee

    Free of charge.

    You are charged based on the actual CPU time.

    Applicable scope

    You can analyze only the data that is written to Simple Log Service after the log analysis feature is enabled.

    If you want to analyze historical data, you must reindex the historical data. For more information, see Reindex logs for a Logstore.

    You can analyze only the data that is written to Simple Log Service after the log analysis feature is enabled.

    If you want to analyze historical data, you must reindex the historical data. For more information, see Reindex logs for a Logstore.

    Returned result

    By default, an analytic statement returns a maximum of 100 rows of data.

    If you want to view more data, use a LIMIT clause. For more information, see LIMIT clause.

    By default, an analytic statement returns a maximum of 100 rows of data.

    If you want to view more data, use a LIMIT clause. For more information, see LIMIT clause.

    Length of a field value

    The maximum length of a field value that can be retained for analysis is 16,384 bytes, which is equivalent to 16 KB.

    Note

    By default, the maximum length of a field value that can be retained for analysis is 2,048 bytes, which is equivalent to 2 KB. If you want to change the maximum length of a field value, you can configure the Maximum Statistics Field Length parameter. For more information, see Specify the maximum length of a field value.

    The maximum length of a field value that can be retained for analysis is 16,384 bytes, which is equivalent to 16 KB.

    Note

    By default, the maximum length of a field value that can be retained for analysis is 2,048 bytes, which is equivalent to 2 KB. If you want to change the maximum length of a field value, you can configure the Maximum Statistics Field Length parameter. For more information, see Specify the maximum length of a field value.

    Timeout period

    The maximum timeout period for a single analytic statement is 55 seconds.

    The maximum timeout period for a single analytic statement is 55 seconds.

    Number of decimal places in the value of a double-type field

    The value of a double-type field can contain a maximum of 52 decimal places.

    If the number of decimal places is greater than 52, the accuracy of the field value is compromised.

    The value of a double-type field can contain a maximum of 52 decimal places.

    If the number of decimal places is greater than 52, the accuracy of the field value is compromised.

    Analytic functions and syntax

    This section lists the analytic functions and syntax that are supported by Simple Log Service.

    Sample analysis results

    The following figure shows a sample dashboard that displays the analysis results.

    Analysis results