This topic describes how to use the query and analysis feature of Log Service to analyze layer-7 access logs of Server Load Balancer (SLB) in real time.

Prerequisites

Layer-7 access logs of SLB are collected. For more information, see Enable the access log management feature.

Background information

SLB is a basic component for most cloud services. In most cases, you need to continuously monitor, detect, diagnose, and configure alerts for SLB. Alibaba Cloud SLB distributes traffic to multiple ECS instances to improve the service capabilities of applications. You can use SLB to prevent single point of failures (SPOFs) and a large number of concurrent web access requests.

Access logs can be generated for layer-7 SLB based on HTTP or HTTPS. For more information about access logs, see Log fields. SLB has the following metrics:
  • Page Views (PVs): the total number of HTTP or HTTPS requests sent by the clients.
  • Unique Visitors (UVs): the total number of unique requests. Requests initiated by unique visitors from the same client are counted only once.
  • Request success rate: the percentage of the requests whose status code is 2XX to the total PVs.
  • Request traffic: the total number of bytes of request messages that are sent by the clients.
  • Response traffic: the total number of bytes of the HTTP message body that is sent to the clients.
  • PV heat map: indicates the density of PVs in the regions where the IP addresses of the clients reside.

Examples

  1. Log on to the Log Service console.
  2. In the Projects section, click a project.
  3. In the left-side navigation pane, choose Log Management > Logstores. Find the destination Logstore and click the > icon next to it.
  4. In the Visual Dashboards section, click the destination dashboard.
    The destination dashboard includes slb-user-log-slb_layer7_operation_center_en and slb-user-log-slb_layer7_access_center_en.
    • Basic analysis
      • View the regions from which the requests are sent in a specified period.PV heat map
      • Use the filter to specify an SLB instance and view the PV and UV trends of the SLB instance. For more information about how to use the filter, see Add a filter.PV and UV trends
    • Traffic and latency analysis
      • View the trends of the request traffic and response traffic in a specified period.Traffic analysis
      • View the trends of the response time and upstream response time in a specified period.Response time
      • View the trend of high-latency requests in a specified period.Latency analysis
    • User request analysis
      • View the distributions of the request methods and request protocols in a specified period.PV trend analysis
      • View the PV trend of different request methods in a specified period.PV trend of different request methods
      • View the distribution of different status codes in a specified period.

        If a large number of status codes 500 are generated, it indicates that internal errors have occurred on the ECS instance.

        Status code
      • View the PV trends of different status codes in a specified period.The PV trend of different status codes
    • Request source analysis
      • View the distribution of Internet service providers.Distribution of Internet service providers
      • View the geographic location such as country, province, and city by analyzing the IP addresses of the clients.Top client
      • View the information of a user agent.
        The user agent (http_user_agent) can be used to identify who is visiting the website or service. For example, a search engine uses web crawlers to scan or download website resources. In most cases, web crawlers allow the search engine to update website content in a timely manner and facilitates website promotion and search engine optimization (SEO). If all of the high PV requests are sent from the web crawlers, the service performance may be affected and ECS instance resources may be wasted.User agent
    • Business analysis
      You can use access logs to analyze service traffic and make business decisions.
      • Analyze the PV heat map to optimize promotion plans.Client distribution
      • Analyze visitor behavior based on the host and URI information to optimize website content.Top host

Request scheduling analysis

Client traffic is first processed by SLB and then distributed to an ECS instance for business logic processing. SLB can detect unhealthy ECS instances and distribute traffic to healthy ECS instances. After the unhealthy ECS instances recover, traffic is distributed to them.

Add a listener to the SLB instance to listen to four ECS instances. If an ECS instance (192.168.0.0) acts as a jump server, its performance is four times higher than that of the other three ECS instances. Set the weight of the jumper server (ECS instance) to 100 and set the weight of the other three ECS instances to 20. Run the following query statement to analyze the distribution of request traffic:
* | select COALESCE(client_ip, vip_addr, upstream_addr) as source, COALESCE(upstream_addr, vip_addr, client_ip) as dest, sum(request_length) as inflow group by grouping sets( (client_ip, vip_addr), (vip_addr, upstream_addr))
The Sankey diagram shows the load of the four ECS instances. After SLB receives traffic, the traffic is distributed to the four ECS instances based on their respective weights (20, 20, 20, and 100).Sankey diagram