Simple Log Service allows you to configure drill-down events for raw logs to visualize logs and obtain more log details. You can configure default events and advanced events. This topic describes how to configure events for raw logs in the Simple Log Service console.
Prerequisites
The indexing feature is enabled and configured. For more information, see Create indexes.
A Logstore is created if you configure an advanced event to open a Logstore. For more information, see Create a Logstore.
A saved search is created if you configure an advanced event to open a saved search. For more information, see Saved search.
Placeholder variables are configured in the destination saved search if you configure variables. For more information, see Set a placeholder variable.
A dashboard is created if you configure an advanced event to open a dashboard. For more information, see Create a dashboard.
Placeholder variables are configured in the destination dashboard if you configure variables. For more information, see Set a placeholder variable.
An HTTP link is created if you configure an advanced event to open a custom HTTP link.
Background information
Drilling is an essential feature in data analysis. This feature allows you to view more details by moving to different layers of data. Drilling includes rolling up and drilling down. Drilling down allows you to move to deeper data layers to gain an insight into data. This way, you can extract more value from data and make informative decisions. Simple Log Service allows you to configure default events and advanced events to analyze raw logs.
Configure default events
When you configure default events, you can add conditions to query statements by using the AND and OR operators or create new query statements.
On the Table or Raw Data tab, click a field value. The Default dialog box appears. The following figure shows the operations that you can perform. For example, the query statement you entered in the search box is * | SELECT status as dim, count(1) as c group by dim
. If you click the value 203.0.113.1 in the host field, the query statement in the search box varies based on the event action you select.
Event action | Description | Result |
Add to Query | Append the keyword that you click to the query statement by using the AND operator and query the data. |
|
Exclude from Query | Append the keyword that you click to the query statement by using the NOT operator. |
|
Add Search | Delete the query statement from the search box and create a query statement by using the specified keyword. |
|
Configure advanced events
You can configure advanced events for log fields to analyze logs at a deeper level. You can configure an advanced event to open a Logstore, saved search, dashboard, or a custom HTTP link.
On the Table or Raw Data tab, click and then click Event Settings to go to the Advanced Event Settings window.
You can configure up to 10 advanced events for each log field.
Log on to the Simple Log Service console.
In the Projects section, click the project that you want to manage.
On the tab, click the Logstore that you want to manage.
On the Raw Logs tab, click Table or Raw Data. Then, click and Event Settings to go to the Advanced Event Settings window.
In the Advanced Event Settings window, click the field for which you want to add the advanced events, and click Add Event.
In the Event Settings section, set the required parameters.
You can configure an advanced event to open a Logstore, saved search, dashboard, or a custom HTTP link. The following table describes the parameters.
Open Logstore
Set the event action to open a Logstore. The following table describes the parameters.
Parameter
Description
Configuration Name
The name of the advanced event.
Event Action
Select Open Logstore.
Open in New Tab
If you turn on this switch, the specified Logstore is opened in a new tab when the advanced event is triggered.
Time Range
The time range that is used to query the data in the specified Logstore. Valid values:
Default: The time range that is used to query the data in the Logstore to which you are redirected. The default time range is 15 Minutes (Relative).
Use Query Time: The time range that is used to query the data in the Logstore to which you are redirected. This time range is the same as the time range specified to query raw logs.
Relative: The time range that is used to query the data in the Logstore to which you are redirected. This time range is accurate to the second.
Time Frame: The time range that is used to query the data in the Logstore to which you are redirected. This time range is accurate to the minute, hour, or day.
Select Logstore
The name of the Logstore to which you want to be redirected. When an advanced event is triggered, you are redirected to the Logstore page.
Inherit Filtering Conditions
If you turn on the Inherit Filtering Conditions switch, the filtering conditions of the current query are synchronized to the destination Logstore by using the
AND
operator.Filter
If you enter a filter statement on the Filter tab, the filter statement is synchronized to the destination Logstore by using the
AND
operator.The filter statement can contain fields that you specify in the Optional Parameter Fields field. For example, if you click
${__topic__}
, the variable is appended to the query statement of the destination Logstore by using theAND
operator.Variable
Not supported.
Open Saved Search
Set the event action to open a saved search. The following table describes the parameters.
Parameter
Description
Configuration Name
The name of the advanced event.
Event Action
Select Open Saved Search.
Open in New Tab
If you turn on this switch, the specified saved search is opened in a new tab when the advanced event is triggered.
Time Range
The time range of the data that the saved search queries. Valid values:
Default: The time range of the data that the saved search queries is the default time range of a Logstore. The default time range is 15 Minutes (Relative).
Use Query Time: The time range of the data that the saved search queries is the same as the time range specified when you query raw logs.
Relative: The time range of the data that the saved search queries is accurate to the second.
Time Frame: The time range of the data that the saved search queries is accurate to the minute, hour, or day.
Select Saved Search
The name of the saved search to which you want to be redirected.
Inherit Filtering Conditions
If you turn on the Inherit Filtering Conditions switch, the filtering conditions of the current query are synchronized to the saved search to which you are redirected. The filtering conditions are appended to the saved search by using the
AND
operator.Filter
If you enter a filter statement on the Filter tab, the filter statement is appended to the destination saved search by using the
AND
operator.The filter statement can contain fields that you specify in the Optional Parameter Fields field. For example, if you click
${__topic__}
, the variable is appended to the query statement of the destination saved search by using theAND
operator.Variable
Simple Log Service allows you to modify a saved search by using variables. If you configure a variable that is the same as a variable in the saved search, the configured variable replaces the variable in the saved search. Click Variable to go to the Variable tab and configure variables.
NoteIf you configure variables for the event, you must first configure placeholder variables for the saved search to which you want to be redirected. For more information, see Set a placeholder variable.
You can add a maximum of five dynamic variables and five static variables.
Dynamic variables: The field value that you click to trigger the event is used as the variable for the query.
Variable: The name of the dynamic variable. For example, the placeholder variable that you specify in the saved search is
dynamic_ip
.Variable Value Column: The column where the variable value is located. For example, if you select
__source__
,the value of the
__source__
field replaces the placeholder variable in the destination saved search.
Static variables: The static variable that you specify is used for the query.
Variable: The name of the static variable. For example, the placeholder variable that you specify in the saved search is
static_ip
.Static Value: The value of the static variable that is used to replace the placeholder variable in the destination saved search. For example,
203.0.113.1
indicates that the value
203.0.113.1
of thestatic_ip
field replaces the placeholder variable in the destination saved search. Logs whose placeholder variable value is203.0.113.1
are queried.
Open Dashboard
Set the event action to open a dashboard. The following table describes the parameters.
Parameter
Description
Configuration Name
The name of the advanced event.
Event Action
Select Open Dashboard.
Open in New Tab
If you turn on this switch, the specified dashboard is opened in a new tab when the advanced event is triggered.
Time Range
The time range that is used to query for the dashboard to which you are redirected. Valid values:
Default: The time range that is used to query for the dashboard to which you are redirected is the default time range. The default time range is 15 Minutes (Relative).
Use Query Time: The time range of the chart on the destination dashboard is the time range of the chart that is specified on the source dashboard when the event is triggered.
Relative: The time range that is used to query for the dashboard to which you are redirected. This time range is accurate to the second.
Time Frame: The time range that is used to query for the dashboard to which you are redirected. This time range is accurate to the minute, hour, or day.
Select Dashboard
The name of the dashboard to which you want to be redirected.
Inherit Filtering Conditions
If you turn on the Inherit Filtering Conditions switch, the filtering conditions of the source dashboard are synchronized to the destination dashboard when the event is triggered.
Filter
If you enter a filter statement on the Filter tab, the filter statement is synchronized to the destination dashboard.
The filter statement can contain fields that you specify in the Optional Parameter Fields field. For example, if you click
${__source__}
, only the logs that contain the${__source__}
fields are displayed in the destination dashboard.Variable
The variables that you configure are synchronized to the destination dashboard when the event is triggered. Click Variable to go to the Variable tab and configure variables.
NoteIf you configure variables for the event, you must first configure placeholder variables for the chart of the destination dashboard to which you want to be redirected. For more information, see Set a placeholder variable.
You can add a maximum of five dynamic variables and five static variables.
Dynamic variables: The field value that you click to trigger the event is used as the variable to query.
Variable: The name of the dynamic variable. For example, the placeholder variable that you specify in the destination dashboard is
dynamic_ip
.Variable Value Column: The column where the variable value is located. For example, if you select
__source__
,the value of the
__source__
field replaces the placeholder variable in the destination dashboard.
Static variable: The static variable that you specify is used for the query.
Variable: The name of the static variable. For example, the placeholder variable that you specify in the destination dashboard is
static_ip
.Static Value: The value of the static variable that is used to replace the placeholder variable in the destination dashboard. For example,
203.0.113.1
indicates that the value
203.0.113.1
of thestatic_ip
field replaces the placeholder variable in the destination dashboard. Logs whose placeholder variable value is203.0.113.1
are queried.
Open HTTP Link
Set the event action to open a custom HTTP link.
The path in the HTTP link is the path of the destination file.
If you add an optional parameter to the path and click a field value to trigger the advanced event, the added parameter is replaced by the field value. At the same time, you are redirected to the new HTTP link.
Parameter
Description
Configuration Name
The name of the advanced event.
Event Action
Select Custom HTTP Link.
Protocol
The protocol type that is used to access the custom HTTP link. You can select HTTP or custom protocol.
Enter Link
The address to which you want to be redirected.
For example, if you enter
www.example.com/s?wd=${sls_project}
, you are redirected to this address after the event is triggered. The ${sls_project} parameter is replaced by the name of your project.Use System Variables
If you turn on the Use System Variables switch, you can insert variables that are provided by Simple Log Service into the HTTP link. The variables are ${sls_project}, ${sls_dashboard_title}, ${sls_chart_name}, ${sls_chart_title}, ${sls_region}, ${sls_start_time}, ${sls_end_time}, ${sls_realUid}, and ${sls_aliUid}.
Transcoding
If you turn on the Transcoding switch, the HTTP link is encoded.
Optional Parameter Fields
If you add an optional parameter to the path, the parameter is replaced by the field value when you click a field value to trigger the advanced event.
Example
The following example describes how to store access logs in a Logstore named accesslog. In this example, a saved search is created to query the page view (PV) distribution of IP addresses and request methods. On the Raw Logs page, set the advanced event for the remote_addr field to open a saved search. Then, click remote_addr. You are redirected to the saved search to view the PV distribution.
Raw log entry:
__source__:127.0.0.1
__tag__:__receive_time__:1613759995
__topic__:nginx_access_log
body_bytes_sent:5077
host:www.example.com
http_referer:www.example.com
http_user_agent:Mozilla/5.0 (X11; CrOS i686 12.0.742.91) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/192.0.2.2 Safari/534.30
http_x_forwarded_for:192.0.2.1
remote_addr:192.0.2.0
remote_user:gp_02
request_length:3932
request_method:POST
request_time:35
request_uri:/request/path-2/file-4
status:200
time_local:19/Feb/2021:18:39:50
upstream_response_time:0.09
Procedure
Query the PV distribution of requests whose request method is POST and status code is 200. Create a saved search named PV Distribution of IP Addresses and Request Method. The following example shows the query statement and query result:
* and request_method: POST and status: 200 | select count(*) as pv, remote_addr as ip,request_method as method group by ip,method order by ip desc
Set the
method
andstatus2
variables in the query statement. The following example shows the query statement:* and request_method: ${method} and status: ${status2} | select count(*) as pv, remote_addr as ip,request_method as method group by ip,method order by ip desc
On the Raw Logs tab, set the advanced event for the remote_addr field to Open Saved Search and set the following parameters.
Select Quick Query: Select PV Distribution of IP Addresses and Request Method.
Filter: You do not need to specify the parameters on this tab.
Variables: Set the key of a static variable to status2 and the value to 400. Set the key of a dynamic variable to method and the value to request_method.
On the Raw Logs tab, choose
.In the raw log entry, the request_method is GET and the status is 404.
Click the name of the saved search. The following query statement is displayed in the window that appears:
* and request_method: GET and status: 400 | select count(*) as pv, remote_addr as ip,request_method as method group by ip,method order by ip desc
View the query result of the saved search.
In this example, the value of the static variable status2 is 400, which indicates the status field. The value of the request_method field is GET and the dynamic value of the variable method is GET. The result of the saved search shows the PV distribution of IP addresses whose request method is GET and status code is 400.
For example, the value of the request_method field is PUT. The result of the saved search shows the PV distribution of IP addresses whose request method is PUT and status code is 400.