This topic provides answers to some frequently asked questions about log query.
How do I identify the source machine from which logs are collected during a log query?
If you use Logtail to collect logs and configure IP addresses as identifiers for a machine group, you can identify machines in the machine group based on the internal IP addresses of the machines. When you query logs, you can use a specified hostname or a custom IP address to identify the source machine from which logs are collected.
For example, you can use the following statement to query the number of times that different hostnames appear in logs:
Indexes are configured for the __tag__:__hostname__ field, and Enable Analytics is turned on for the __tag__:__hostname__ field.
* | select "__tag__:__hostname__" , count(1) as count group by "__tag__:__hostname__"
How do I search for logs by an IP address?
You can use the full match method to search for logs by an IP address. You can search for logs by IP address. For example, you can search for logs that include or exclude a specified IP address. You cannot use the partial match method to search for logs by IP address because periods (.) that are included in an IP address are not default delimiters in Simple Log Service. In this case, we recommend that you filter logs by using other methods. For example, you can use an SDK to download logs, and then use a regular expression or the string.indexof method to search for logs by IP address.
For example, if you execute the following statement, the logs that contain IP addresses in the 121.42.0 network segment are still returned.
not ip:121.42.0 not status:200 not 360jk not DNSPod-Monitor not status:302 not jiankongbao
not 301 and status:403
How do I use two conditions to query logs?
If you want to use two conditions to query logs, specify two statements at a time.
For example, you want to query logs whose status field is neither OK nor Unknown in a Logstore. You can use not OK not Unknown
to obtain the logs that meet the conditions.
How do I query logs in Simple Log Service?
You can use one of the following methods to query logs in Simple Log Service:
Use the Simple Log Service console to query logs. For more information, see Query and analyze logs.
Use an SDK to query logs. For more information, see Overview of Simple Log Service SDKs.
Use RESTful APIs to query logs. For more information, see GetLogs.
I can use an SDK to search for logs, but a timeout or a network error occurs when I perform SQL log analysis. What do I do?
A possible reason is that the network firewall of your client intercepts the requests that contain a keyword of SQL analysis.
We recommend that you change the endpoint of Simple Log Service to an endpoint that starts with https to troubleshoot the error that is related to the network firewall of your client.