All Products
Search

This Product

    Simple Log Service:Compatibility between Simple Log Service and Elasticsearch

    Document Center

    Simple Log Service:Compatibility between Simple Log Service and Elasticsearch

    Last Updated:Oct 30, 2024

    This topic describes the compatibility between Simple Log Service and Elasticsearch. This topic also describes the Elasticsearch API operations and Elasticsearch domain-specific language (DSL) that are compatible with Simple Log Service.

    Important

    This topic is proprietary information of Alibaba Cloud, and describes the capabilities that are provided by Alibaba Cloud to interact with third-party services. Therefore, the names of third-party companies and services may be referenced in this topic.

    Compatibility

    Elasticsearch is an open source, distributed search and analytics engine that is built based on Apache Lucene. Elasticsearch is commonly used for data processing and analysis. If you switch the log engine from Elasticsearch to Simple Log Service, you may need to change your usage habits and upstream and downstream programs. To resolve these issues, Log Service provides the Elasticsearch-compatible API to ensure smooth migration of Elasticsearch query and analysis solutions and to reduce the difficulty in using Simple Log Service.

    The Elasticsearch-compatible API of Simple Log Service translates the Elasticsearch DSL query syntax into the index-based query syntax and SQL analysis syntax of Simple Log Service. Then, Simple Log Service returns query and analysis results in a format that meets the Elasticsearch requirements. This way, the Elasticsearch query protocols can be implemented.

    Note

    • The Elasticsearch-compatible API of Simple Log Service is implemented based on the API specification of Elasticsearch 7.10.

    • You can call an Elasticsearch-compatible API operation only when you use a Standard Logstore and you create at least one field index.

    image

    Elasticsearch-compatible API endpoints

    An endpoint of the Elasticsearch-compatible API is in the https://${project}.${sls-endpoint}/es/ format. Example: https://etl-guangzhou.cn-guangzhou.log.aliyuncs.com/es/. ${project} specifies the name of the project. ${sls-endpoint} specifies the endpoint of the project. For more information, see Endpoints.

    Supported Elasticsearch-compatible API operations

    The following table describes the Elasticsearch API operations that are compatible with the Elasticsearch-compatible API of Simple Log Service.

    Request method

    API path

    Description

    Post

    /${index}/_search

    Queries a specified index. The index field specifies the Simple Log Service project and Logstore. Format: ${project}.${logstore}.

    Post

    /${index}/_async_search

    Queries multiple resources at a time.

    Post

    /_msearch

    Queries multiple resources at a time.

    Post

    /${index}/_bulk

    Writes data to a specified index.

    Important

    The _bulk operation supports only data writes and does not support data updates.

    Get

    /${index}/_mapping

    Queries the mapping of a specified index.

    Supported Elasticsearch DSL

    The following tables describe the Elasticsearch DSL that is compatible with the Elasticsearch-compatible API of Simple Log Service.

    Query-related DSL

    DSL

    Description

    bool

    Performs a Boolean operation.

    match_all

    Matches all logs.

    match

    Matches an index.

    match_phrase

    Matches a phrase.

    When you perform a query, the operator is translated into a SQL LIKE clause of Simple Log Service. The fields in the query result are configured with field indexes.

    multi_match

    Matches multiple fields.

    prefix

    Queries a prefix.

    range

    Queries a range.

    term

    Queries a term.

    When you perform a query, the operator is translated into the index-based query syntax of Simple Log Service.

    terms

    Queries multiple terms.

    When you perform a query, the operator is translated into the index-based query syntax of Simple Log Service.

    wildcard

    Matches a wildcard pattern.

    When you perform a query, the operator is translated into the SQL analysis syntax of Simple Log Service.

    regexp

    Matches a regular expression.

    When you perform a query, the operator is translated into the SQL regexp_like function of Simple Log Service. The fields in the query result are configured with field indexes.

    exists

    Checks whether a value exists.

    ids

    Queries the ID field.

    Aggregation-related DSL

    Category

    DSL

    Description

    Statistical analysis by group

    Date histogram

    Analyzes statistics based on the @timestamp field.

    Histogram

    Analyzes statistics based on a specific value interval.

    Range

    Analyzes statistics based on a value range.

    Terms

    Analyzes statistics based on the unique value of a field.

    Filter

    Analyzes statistics based on a single filter condition.

    Filters

    Analyzes statistics based on multiple filter conditions.

    Metric-based statistical analysis

    Min

    Calculates the minimum value.

    Max

    Calculates the maximum value.

    Avg

    Calculates the average value.

    Sum

    Calculates the total value.

    Count

    Calculates the quantity.

    Cardinality

    Calculates the total number of unique values.

    Percentiles

    Calculates the percentile at which a value is.

    Return logs

    Top hits

    Returns aggregated logs.

    Differences between the Elasticsearch-compatible API and standard Elasticsearch API

    • The Elasticsearch-compatible API of Simple Log Service does not support data updates.

    • The Elasticsearch-compatible API of Simple Log Service does not support query statements that contain scripts.

    • A Simple Log Service Logstore allows you to query petabytes of data. When you use the Elasticsearch-compatible API of Simple Log Service, Elasticsearch does not need to perform index rollovers.

    • Simple Log Service does not automatically create indexes. You must create indexes by calling API operations or by using the Simple Log Service console. For more information, see Create indexes.

    • When you use the Elasticsearch DSL to query fields, take note of the mappings between the fields of Elasticsearch and Simple Log Service. The following table describes the field mappings.

      Elasticsearch

      Simple Log Service

      Description

      @timestamp

      __time__

      If you specify the @timestamp field in a query statement, the __time__ field of Simple Log Service is mapped.

      _id

      None

      If the _id field exists in Simple Log Service, the _id field in Elasticsearch is mapped to the _id field in Simple Log Service. If the _id field does not exist in Simple Log Service, the system generates the uuid or _pack_meta field and maps the values of the _id field to the uuid or _pack_meta field.

      Grant permissions to a RAM user

      You can use the following methods to grant a RAM user the permissions to query or write data by using the Elasticsearch-compatible API.

      • Simple mode: You can use system policies to grant the required permissions to the RAM user. You do not need to configure parameters.

      • Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, the configurations in this mode are complex.

      Simple mode

      You can use system policies to grant a RAM user the permissions to query or write data by using the Elasticsearch-compatible API. The following table describes the system policies. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.

      System policy name

      Query permissions

      Write permissions

      AliyunLogFullAccess

      Yes

      Yes

      AliyunLogReadOnlyAccess

      Yes

      No

      Custom mode

      You can use custom policies to grant a RAM user the permissions to query or write data by using the Elasticsearch-compatible API. The following examples show how to configure custom policies. For more information, see Create a custom policy and Grant permissions to RAM users.

      • The following script shows a sample policy that grants a RAM user the permissions to query and write data by using the Elasticsearch-compatible API: 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetIndex",
                "log:GetLogStoreContextLogs",
                "log:ListLogStores",
                "log:GetLogStoreHistogram",
                "log:GetLogstoreLogs",
                "log:GetLogStoreContextLogs",
                "log:GetCursorOrData",
                "log:GetLogstore",
                "log:PostLogStoreLogs"
            ],
            "Resource": "acs:log:*:*:project/*"
        }
    ]
}

      • The following script shows a sample policy that grants a RAM user the permissions to query data by using the Elasticsearch-compatible API: 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetIndex",
                "log:GetLogStoreContextLogs",
                "log:ListLogStores",
                "log:GetLogStoreHistogram",
                "log:GetLogstoreLogs",
                "log:GetLogStoreContextLogs",
                "log:GetCursorOrData",
                "log:GetLogstore"
            ],
            "Resource": "acs:log:*:*:project/*"
        }
    ]
}

      • The following script shows a sample policy that grants a RAM user the permissions to write data by using the Elasticsearch-compatible API: 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:PostLogStoreLogs"
            ],
            "Resource": "acs:log:*:*:project/*"
        }
    ]
}