All Products
Search

This Product

    Simple Log Service:Query and analyze logs

    Document Center

    Simple Log Service:Query and analyze logs

    Last Updated:Jul 09, 2024

    After you create indexes for a Logstore, you can query and analyze the logs that are collected and stored in the Logstore on the query and analysis page in real time.

    Prerequisites

    Indexes are created. For more information, see Create indexes. If you want to analyze logs, you must create field indexes and turn on Enable Analytics.

    Step 1: Enter a query statement

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the project that you want to manage.

      image

    3. In the left-side navigation pane, click Log Storage. In the Logstores list, click the Logstore that you want to manage.

      image

    4. Enter a search statement or an analysis statement.

      • A search statement is used to query and filter data. A search statement supports only simple query. You can specify conditions in a search statement to filter data. The conditions include time ranges, request types, and keywords. You can separately use a search statement. For more information, see Search syntax.

      • An analytic statement is used to filter, convert, calculate, and aggregate data. For example, you can use an analytic statement to calculate an average value within a specific period of time or compare data in different periods of time. You must use an analytic statement together with a search statement in the Search statement|Analytic statement format. For more information, see Function overview.

    5. Specify the time range of data that you want to query or analyze. You can use one of the following methods to specify a time range. If you specify a time range in an analytic statement, the time range is used for query and analysis.

      Important

      By default, only 100 rows of data are returned after you execute a query statement. To increase the number of rows of data that are returned, you can use a LIMIT clause. For more information, see LIMIT clause.

      • In the upper part of the query and analysis page, select a time range from the drop-down list. Example: Last 15 Minutes.

      • In the analytic statement, use the __time__ field to specify a time range, which is a closed time interval. Example: * | SELECT * FROM log WHERE __time__>1558013658 AND __time__< 1558013660.

      • In the analytic statement, use the from_unixtime or to_unixtime function to convert the format of the specified time. Examples:

        • * | SELECT * FROM log WHERE from_unixtime(__time__) > from_unixtime(1664186624) AND from_unixtime(__time__) < now()

        • * | SELECT * FROM log WHERE __time__ > to_unixtime(date_parse('2022-10-19 15:46:05', '%Y-%m-%d %H:%i:%s')) AND __time__ < to_unixtime(now())

    Step 2: View query and analysis results

    Histogram

    分布直方图

    • When you move the pointer over a green rectangle, you can view the period of time that is represented by the rectangle and the number of returned logs within the period of time.

    • If you double-click a green rectangle, you can view log distribution at a finer-grained level. You can also view the returned logs within the specified period of time on the Raw Logs tab.

    Raw Logs

    The Raw Logs tab displays query and analysis results.

    image.png

    Section

    Description

    1

    Click Table or Raw Data to switch between the display formats of logs.

    2

    • image.png: allows you to copy log content.

    • image.png: allows you to label specific information or query error information in log content. This icon also serves as a copilot.

    • 查询日志-004: allows you to view the context information of a specific log in the raw log file. You can use contextual query only on the logs that are collected by Logtail. For more information, see Contextual query.

    • LiveTail: allows you to monitor log content in real time and extract key log information. You can use LiveTail only on the logs that are collected by Logtail. For more information, see LiveTail.

    3

    • 下载日志: allows you to specify a download scope and download logs. For more information, see Download logs.

    • image.png > JSON Configurations: allows you to specify the display type of JSON and the level of JSON expansion.

    • image.png > Event Settings: allows you to configure events for raw logs. For more information, see Configure events.

    4

    • image.png: allows you to add a view to your favorites. After fields are displayed in Section 5, you can add the current view to your favorites. Then, you can select the view from the drop-down list above Section 4.

    • image.png > Tag Settings: allows you to add fields as system tags.

      Tag

    • image.png > Alias: After you turn on Alias, the names of fields are replaced with aliases. If no alias is configured for a field, the name of the field is retained. For more information about how to configure a field alias, see Create indexes.

    5

    • Below Displayed Fields, move the pointer over a field and click the image.png icon to remove the field from Displayed Fields. Then, the field is no longer displayed in the log content on the right side.

    • Below Indexed Fields, move the pointer over a field and click the image.png icon to add the field to Displayed Fields. Then, the field is displayed in the log content on the right side.

    • image.png: allows you to view field details, including Basic Distribution and Statistical Metrics. For more information, see Quick analysis.

    Supported operations

    image.png

    View charts

    After you execute a query statement, you can view the query and analysis results on the Graph tab.

    • View query and analysis results: Simple Log Service renders the results of the query statement to charts. Simple Log Service provides various types of charts, such as tables, line charts, and column charts. Simple Log Service provides two versions of charts: Pro and Standard. For more information, see Overview of charts (Pro) and Chart overview.

    • Add a chart to a dashboard: Simple Log Service provides dashboards on which you can analyze data in real time. You can click Add to New Dashboard to save the query and analysis results as a chart to a dashboard. For more information, see Overview of visualization.

    • Configure interaction occurrences: Interaction occurrences are important for data analysis. You can use interaction occurrences to switch between the levels of data dimensions and the analysis granularities to obtain more detailed information. For more information, see Interaction occurrences.

    • Create a Scheduled SQL job: Simple Log Service provides the Scheduled SQL feature. You can use the feature to automatically analyze data at a scheduled time and aggregate data for storage. You can also use the feature to project and filter data. For more information, see How Scheduled SQL works.

    LogReduce

    On the LogReduce tab, you can click Enable LogReduce to cluster similar logs during log collection. For more information, see LogReduce.

    image.png

    SQL enhancement

    If you use the Standard SQL feature to analyze a large amount of data that is generated over a period of time, Simple Log Service cannot analyze all data in a single query request. You can enable the Dedicated SQL feature to increase computing resources and the amount of data that can be analyzed in a single query request. For more information, see Enable Dedicated SQL.

    Scan

    If you need to query or analyze logs but you cannot or did not create indexes, you can use the scan feature. For more information, see Scan logs.

    Alerting

    You can click the 另存为告警 icon to configure alerts for query and analysis results. For more information, see Configure an alert rule in Simple Log Service.

    Saved search

    You can click the 快速查询 icon to save a query statement as a saved search. For more information, see Saved search.

    Sharing

    You can click the image.png icon to copy the link of the current page and share the link with other users.

    References