All Products
Search
Document Center

Simple Log Service:FAQ about query and analysis

Last Updated:Feb 05, 2025

This topic provides answers to some frequently asked questions about log query.

How do I identify the source machine from which logs are collected when I query logs?

  • If a Logtail configuration is applied to an IP address-based machine group, you can use the internal IP address to identify the source machine. For more information, see Create an IP address-based machine group.

  • Before you execute the statement __tag__:__hostname__:XXX, you must create an index for the __tag__:__hostname__ field and turn on Enable Analytics for the field. For more information about how to create indexes, see Create indexes. For more information about __tag__ fields, see Reserved fields. For example, you can use the following statement to query the number of times that different hostnames appear in logs.

    * | select '__tag__:__hostname__' , count(1) as count group by '__tag__:__hostname__'

How do I query logs by using an IP address?

  • Query logs by using an IP address.

    __tag__:__client_ip__:192.0.2.1
  • Query logs whose IP addresses start with 192.0.2.

    __source__:192.0.2.*
  • Query logs whose IP addresses match 192.168.XX.XX. You can also use a regular expression to perform fuzzy match. For more information, see How do I query logs by using fuzzy match?

    * | select * from log where key like '192.168.%.%'

How do I use two conditions to query logs?

If you want to use two conditions to query logs, specify two statements at a time.

For example, if you want to query logs whose status field is neither OK nor Unknown in a Logstore, you can use not OK not Unknown to obtain the logs that meet the conditions.

How do I query logs in Simple Log Service?

You can use one of the following methods to query logs in Simple Log Service:

  • Use the Simple Log Service console to query logs. For more information about how to query and analyze logs in the Simple Log Service console, see Query and analyze logs.

  • Use Simple Log Service SDK to query logs. For more information, see Overview of Simple Log Service SDK.

  • Use RESTful API operations to query logs. For more information, see GetLogs.

I can use Simple Log Service SDK to query logs, but a timeout or network error occurs when I use the SDK to perform SQL analysis. What do I do?

A possible reason is that the network firewall of your client intercepts the requests that contain a keyword used in SQL analysis.

We recommend that you change the Simple Log Service endpoint that is used to an endpoint that starts with HTTPS to check whether the error is caused by the network firewall of your client.

Why are field values truncated when I query and analyze logs?

The following list describes the limits on the lengths of field values that can be retained for query and analysis in Simple Log Service:

  • When you query logs, the maximum length of a field value that can be retained for query is 524,288 bytes, which is equivalent to 512 KB.

  • When you analyze logs, the default maximum length of a field value that can be retained for analysis is 2,048 bytes, which is equivalent to 2 KB. The maximum length can be extended to 16,384 bytes, which is equivalent to 16 KB.

    If you want to change the maximum length of a field value, you can configure the Maximum Statistics Field Length parameter. You can specify a value that ranges from 64 to 16,384 bytes. For more information, see Create indexes.

If the length of a field value exceeds the upper limit, the field value is truncated, and the excess part is not retained for query or analysis.

How do I analyze non-indexed fields?

If you want to analyze logs but have not configured indexes or cannot configure indexes for the required fields, you can perform the following operations to resolve the issue:

  • Configure indexes or reindex data

    • If you want to analyze newly written logs, you can configure indexes for the required fields and turn on Enable Analytics for the fields. For more information, see Create indexes.

    • If you want to analyze historical logs, you must reindex the required fields in the historical logs. For more information, see Reindex logs for a Logstore.

  • Enable the scan feature

    If you cannot configure indexes, you can enable the scan feature to analyze logs. For more information, see Scan-based analysis overview and Scan logs.

How do I change the number of rows that can be returned by an SQL query?

By default, Simple Log Service appends the LIMIT 100 clause to a query statement when you execute the query statement. If you want to change the number of rows that can be returned, you can modify the LIMIT clause. For more information, see LIMIT clause.