How to configure interaction occurrences for raw logs in the Simple Log Service console - Simple Log Service

Simple Log Service supports default event settings and advanced event settings, which allow you to configure interaction occurrences for raw logs in a visualized and simplified manner. After you configure an event, you can obtain more log details. This topic describes how to configure event settings in the Simple Log Service console.

Prerequisites

The indexing feature is enabled, and indexes are configured. For more information, see Create indexes.

Background information

The drilling feature is required for data analysis. The feature allows you to analyze data in a fine-grained or coarse-grained manner. Drilling includes roll-up and drill-down. Drill-down provides more detailed analysis results, which allows you to extract more value from data and improve business decisions. Simple Log Service allows you to configure default events and advanced events to analyze raw logs.

Default event settings

Prerequisites

Data is collected by using Logtail. If data is collected by using Simple Log Service SDK or Simple Log Service API, you cannot configure default events.

Procedure

When you configure default events, you can add conditions to query statements by using the AND and NOT operators or create query statements.

On the Table or Raw Data tab, click a field value. The Default dialog box appears. The following figure shows the operations that you can perform.

For example, the query statement that you entered in the search box is * | SELECT status as dim, count(1) as c group by dim. If you click the value 203.0.113.1 in the host field, a new query statement is generated in the search box. The new query statement varies based on the event action that you select.

Event action	Description	New query statement
Add to Query	Append the keyword that you click to the query statement by using the AND operator.	`* and host: "203.0.113.1" \| SELECT status as dim, count(1) as c group by dim`
Exclude from Query	Append the keyword that you click to the query statement by using the NOT operator.	`* not host: "203.0.113.1" \| SELECT status as dim, count(1) as c group by dim`
Add Search	Delete the original query statement and create a search statement by using the specified keyword.	`* and host: "203.0.113.1"`

Advanced event settings

You can configure advanced events for log fields to analyze logs in a fine-grained manner. You can configure an advanced event to open a Logstore, saved search, dashboard, or custom HTTP link.

On the Table or Raw Data tab, click the icon and select Event Settings to go to the Advanced Event Settings dialog box. event

Note

You can configure up to 10 advanced events for a log field.

Log on to the Simple Log Service console.
In the Projects section, click the project that you want to manage.
In the left-side navigation pane, click Log Storage. In the Logstores list, click the Logstore that you want to manage.
On the Raw Logs tab, click the Table or Raw Data tab. Then, click the icon and select Event Settings.
In the Advanced Event Settings dialog box, add the field for which you want to configure an advanced event, and click Add Event.

In the Event Settings section, configure the parameters.

You can configure an advanced event to open a Logstore, saved search, dashboard, or custom HTTP link.

Note

If you want to configure an advanced event to open a Logstore, make sure that the Logstore is created. For more information, see Create a Logstore.
If you want to configure an advanced event to open a saved search, make sure that the saved search is created. For more information, see Saved search.
If you want to configure variables for the event, make sure that the related placeholder variables are configured in the query statement of the destination saved search. For more information, see Variables.
If you want to configure an advanced event to open a dashboard, make sure that the dashboard is created. For more information, see Create a dashboard.
If you want to configure variables for the event, make sure that the related placeholder variables are configured in the required chart on the destination dashboard. For more information, see Variables.
If you want to configure an advanced event to open a custom HTTP link, make sure that the HTTP link is created.

Open Logstore

Set the Event Action parameter to Open Logstore. The following table describe the parameters.

Parameter	Description
Configuration Name	Enter the name of the advanced event.
Event Action	Select Open Logstore.
Open New Window	If you turn on this switch, the query and analysis page of the destination Logstore is opened on a new tab when the advanced event is triggered.
Time Range	Specify the query time range of the destination Logstore. Valid values: Default: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination Logstore, the time range on the query and analysis page is the default time range, which is 15 Minutes(Relative). Use Query Time: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination Logstore, the time range on the query and analysis page is the time range of the query statement that you use to query the raw logs. Relative: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination Logstore, the time range on the query and analysis page is the relative time range that you specify for the Time Range parameter. Time Frame: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination Logstore, the time range on the query and analysis page is the time frame that you specify for the Time Range parameter.
Select Logstore	Select the destination Logstore to which you want to be navigated. When the advanced event is triggered, you are navigated to the query and analysis page of the Logstore.
Inherit Filter Condition	If you turn on Inherit Filter Condition, the filter conditions of the current query statement are synchronized to the destination Logstore. Then, you can enter a query statement after the filter conditions. The query statement and the filter conditions are evaluated by using a logical `AND`.
Filter	If you enter a filter statement on the Filter tab, the filter statement is synchronized to the destination Logstore. Then, you can enter a query statement after the filter statement. The two statements are evaluated by using a logical `AND`. You can click variables in the Optional Parameter Fields section to add the variables as filter conditions to the filter statement. For example, if you click `${__topic__}`, the executed query statement of the destination Logstore is a combination of the variable and the custom query statement that you enter. The variable and the custom query statement are evaluated by using a logical `AND`.
Variable	This parameter is unconfigurable

Open Saved Search

Set the Event Action parameter to Open Saved Search. The following table describes the parameters.

Parameter	Description
Configuration Name	Enter the name of the advanced event.
Event Action	Select Open Saved Search.
Open New Window	If you turn on this switch, the query and analysis page of the destination saved search is opened on a new tab when the advanced event is triggered.
Time Range	Specify the query time range of the destination saved search. Valid values: Default: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination saved search, the time range on the query and analysis page is the default time range, which is 15 Minutes(Relative). Use Query Time: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination saved search, the time range on the query and analysis page is the time range of the query statement that you use to query the raw logs. Relative: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination saved search, the time range on the query and analysis page is the relative time range that you specify for the Time Range parameter. Time Frame: After you click a field value on the Raw Logs tab and you are navigated to the query and analysis page of the destination saved search, the time range on the query and analysis page is the time frame that you specify for the Time Range parameter.
Select Saved Query	Select the destination saved search. When the advanced event is triggered, you are navigated to the query and analysis page of the destination saved search.
Inherit Filter Condition	If you turn on Inherit Filter Condition, the filter conditions of the current query statement are synchronized to the destination saved search. Then, you can enter a query statement after the filter conditions. The query statement and the filter conditions are evaluated by using a logical `AND`.
Filter	If you enter a filter statement on the Filter tab, the filter statement is synchronized to the destination saved search. Then, you can enter a query statement after the filter statement. The two statements are evaluated by using a logical `AND`. You can click variables in the Optional Parameter Fields section to add the variables as filter conditions to the filter statement. For example, if you click `${__topic__}`, the executed query statement of the destination saved search is a combination of the variable and the custom query statement that you enter. The variable and the custom query statement are evaluated by using a logical `AND`.
Variable	Simple Log Service allows you to modify a saved search by using variables. If you configure a variable that is the same as an existing variable in the destination saved search for the advanced event, the variable in the destination saved search is replaced with the related field value in the log where you click a field value to trigger the advanced event. You can configure variables on the Variable tab. Note If you configure variables for the event, you must configure placeholder variables for the destination saved search in advance. For more information, see Variables. You can configure up to five dynamic variables and five static variables. Dynamic variables: When you click a field value in a log to trigger the advanced event, the values of the variable-related fields in the log are used as the values of the placeholder variables in the destination saved search to query data. Dynamic Variable Name: The name of the dynamic variable. Enter the placeholder variable that you configure in the destination saved search. Example: `dynamic_ip`. Column for Dynamic Variable Value: The variable-related field. A value of this field dynamically replaces the placeholder variable in the destination saved search. For example, you can select the `__source__` field. In this example, a value of the `__source__` field dynamically replaces the placeholder variable in the destination saved search. Static variables: The fixed values that you specify are used as the values of the placeholder variables in the destination saved search. Variable: The name of the static variable. Enter the placeholder variable that you configure in the destination saved search. Example: `static_ip`. Static Value: The fixed value of the static variable. The value replaces the placeholder variable in the destination saved search. For example, you can enter `203.0.113.1`. In this example, the value `203.0.113.1` of the `static_ip` field replaces the placeholder variable in the destination saved search. You can obtain logs in which the value of the placeholder variable is `203.0.113.1`.

Open Dashboard

Set the Event Action parameter to Open Dashboard. The following table describes the parameters.

Parameter	Description
Configuration Name	Enter the name of the advanced event.
Event Action	Select Open Dashboard.
Open New Window	If you turn on this switch, the page of the destination dashboard is opened on a new tab when the advanced event is triggered.
Time Range	Specify the query time range of the destination dashboard. Valid values: Default: After you click a field value on the Raw Logs tab and you are navigated to the page of the destination dashboard, the time range on the page is the default time range, which is 15 Minutes(Relative). Use Query Time: After you click a field value on the Raw Logs tab and you are navigated to the page of the destination dashboard, the time range on the page is the time range of the query statement of the required chart. Relative: After you click a field value on the Raw Logs tab and you are navigated to the page of the destination dashboard, the time range on the page is the relative time range that you specify for the Time Range parameter. Time Frame: After you click a field value on the Raw Logs tab and you are navigated to the page of the destination dashboard, the time range on the page is the time frame that you specify for the Time Range parameter.
Select Dashboard	Select the destination dashboard. When the advanced event is triggered, you are navigated to the page of the destination dashboard.
Inherit Filter Condition	If you turn on Inherit Filter Condition, the filter conditions of the current query statement are synchronized to the destination dashboard.
Filter	If you enter a filter statement on the Filter tab, the filter statement is synchronized to the destination dashboard. You can click variables in the Optional Parameter Fields section to add the variables as filter conditions to the filter statement. For example, if you click `${__source__}`, only the logs that contain the `${__source__}` variable are displayed in the destination dashboard.
Variable	Configure variables. The variables that you configure are synchronized to the destination dashboard. You can configure variables on the Variable tab. Note If you configure variables for the event, you must configure placeholder variables for the required chart on the destination dashboard in advance. For more information, see Variables. You can configure up to five dynamic variables and five static variables. Dynamic variables: When you click a field value in a log to trigger the advanced event, the values of the variable-related fields in the log are used as the values of the placeholder variables for the required chart on the destination dashboard to query data. Dynamic Variable Name: The name of the dynamic variable. Enter the placeholder variable that you configure for the required chart on the destination dashboard. Example: `dynamic_ip`. Column for Dynamic Variable Value: The variable-related field. A value of this field dynamically replaces the placeholder variable for the required chart on the destination dashboard. For example, you can select the `__source__` field. In this example, a value of the `__source__` field dynamically replaces the placeholder variable for the required chart on the destination dashboard. Static variables: The fixed values that you specify are used as the values of the placeholder variables for the required chart on the destination dashboard. Variable: The name of the static variable. Enter the placeholder variable that you configure for the required chart on the destination dashboard. Example: `static_ip`. Static Value: The fixed value of the static variable. The value replaces the placeholder variable for the required chart on the destination dashboard. For example, you can enter `203.0.113.1`. In this example, the value `203.0.113.1` of the `static_ip` field replaces the placeholder variable for the required chart on the destination dashboard. You can obtain logs in which the value of the placeholder variable is `203.0.113.1`.

Create Custom HTTP URL

Set the Event Action parameter to Create Custom HTTP URL. The following table describe the parameters.

The path to the destination file is included in the destination HTTP URL.
You can add variables in the Optional Parameter Fields section to the path of the destination HTTP URL. When the advanced event is triggered, the variables in the path are replaced by the variable-related field values. You are navigated to the landing page of the destination HTTP URL.

Parameter	Description
Configuration Name	Enter the name of the advanced event.
Event Action	Select Create Custom HTTP URL.
Protocol	Select the protocol type for the destination HTTP URL. You can select HTTP or Custom.
Enter a URL	Enter the destination URL to which you want to be navigated. For example, if you enter `www.example.com/s?wd=${sls_project}`, you are navigated to the landing page of this URL. When the advanced event is triggered, the ${sls_project} variable is replaced by the name of your project.
Use System Variable	If you turn on Use System Variable, you can insert the system variables of Simple Log Service into the HTTP URL. The variables are ${sls_project}, ${sls_dashboard_title}, ${sls_chart_name}, ${sls_chart_title}, ${sls_region}, ${sls_start_time}, ${sls_end_time}, ${sls_realUid}, and ${sls_aliUid}.
Transcode	If you turn on Transcode, the HTTP URL is encoded.
Optional Parameter Fields	Add variables to the path of the HTTP URL. When the advanced event is triggered, the variables in the HTTP URL are replaced by the variable-related field values.

Example

The following example describes how to configure an advanced event to open a saved search in a Logstore named accesslog. The saved search allows you to query the distribution of page views (PVs) by IP address and request method. On the Raw Logs page, find the remote_addr field and configure an advanced event to open a saved search. After the advanced event is configured, click a value of the remote_addr field to trigger the advanced event. Then, you are navigated to the query and analysis page of the saved search. You can view the PV distribution on the page.

Raw log:

__source__:127.0.0.1
__tag__:__receive_time__:1613759995
__topic__:nginx_access_log
body_bytes_sent:5077
host:www.example.com
http_referer:www.example.com
http_user_agent:Mozilla/5.0 (X11; CrOS i686 12.0.742.91) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/192.0.2.2 Safari/534.30
http_x_forwarded_for:192.0.2.1
remote_addr:192.0.2.0
remote_user:gp_02
request_length:3932
request_method:POST
request_time:35
request_uri:/request/path-2/file-4
status:200
time_local:19/Feb/2021:18:39:50
upstream_response_time:0.09

Procedure

Query the PV distribution of requests whose request method is POST and status code is 200. Create a saved search named PV Distribution of IP Addresses and Request Method based on the query statement. The following sample code shows the query statement. The following figure shows the result of the query statement.
```
* and request_method: POST and status: 200 | select count(*) as pv, remote_addr as ip,request_method as method group by ip,method order by ip desc
```

Configure the method and status2 variables in the saved search. The following sample code shows the new query statement:

* and request_method: ${method} and status: ${status2} | select count(*) as pv, remote_addr as ip,request_method as method group by ip,method order by ip desc

On the Raw Logs tab, configure an advanced event for the remote_addr field. Set the Event Action parameter to Open Saved Search and configure other parameters based on the following descriptions:
- Select Quick Query: Select the PV Distribution of IP Addresses and Request Method saved search.
- Filter: Leave parameters on this tab empty.
- Variable: Add a static variable. Set the name of the static variable to status2 and the value to 400. Then, add a dynamic variable. Set the name of the dynamic variable to method and select the request_method field.
On the Raw Logs tab, click a value of the remote_addr > PV Distribution of IP Addresses and Request Method event below Advanced.
In the log where you click the field value, the value of the request_method field is GET, and the value of the status field is 404.

On the new tab that appears, the following query statement is displayed in the search box:

* and request_method: GET and status: 400 | select count(*) as pv, remote_addr as ip,request_method as method group by ip,method order by ip desc

View the result of the saved search.
In this example, the value of the static variable status2 is 400 and the static variable corresponds to the status field. In the log where you click a field value to trigger the advanced event, the value of the request_method field is GET. Therefore, the value of the dynamic variable method is GET. The result of the saved search shows the PV distribution of requests whose request method is GET and status code is 400 by IP address.
If the value of the request_method field is PUT in the log where you click a field value to trigger the advanced event, the result of the saved search shows the PV distribution of requests whose request method is PUT and status code is 400 by IP address.