This topic introduces the terms that are used in Log Service.

Basic resources

Term Description
project A project in Log Service is used to isolate resources of different users and control access to specific resources. For more information, see Project.
Logstore A Logstore in Log Service is used to collect, store, and query log data. For more information, see Logstore.
Metricstore A Metricstore in Log Service is used to collect, store, and query time series data. For more information, see Metricstore.
log Logs are records of changes that occur in a system during the runtime of the system. The records contain information about the operations that are performed on specific objects and the results of the operations. The records are ordered by time. For more information, see Log.
log group A log group is a collection of logs. A log group is the basic unit that is used to write and read logs. Logs in a log group contain the same metadata, such as the IP address and log source. For more information, see Log group.
time series data Time series data is a series of data points that are ordered by time. For more information, see Time series data.
trace data Trace data indicates the execution process of an event or a procedure in a distributed system. For more information, see Trace.
shard A shard is used to control the read and write capacity of a Logstore. In Log Service, data is stored in shards. Each shard has an MD5 hash range, and each range is a left-closed and right-open interval. Each range does not overlap with the ranges of other shards. Each range must be within the entire MD5 hash range [00000000000000000000000000000000,ffffffffffffffffffffffffffffffff). For more information, see Shard.
topic A topic is a basic management unit in Log Service. You can specify topics when you collect logs. This way, Log Service classifies logs by topic. For more information, see Topic.
endpoint An endpoint of Log Service is a URL that is used to access a project and the data of the project. To access the projects in different regions, you must use different endpoints. To access the projects in the same region over an internal network or the Internet, you must also use different endpoints. For more information, see Endpoints.
AccessKey pair An AccessKey pair is an identity credential that consists of an AccessKey ID and an AccessKey secret. The AccessKey ID and AccessKey secret are used for symmetric encryption and identity authentication. The AccessKey ID is used to identify a user. The AccessKey secret is used to encrypt and verify a signature string. The AccessKey secret must be kept confidential. For more information, see AccessKey pair.
region A region is the physical location where a data center of Log Service is deployed. You can specify a region when you create a project. After the project is created, you cannot change the region. For more information, see Supported regions.

Data collection

Term Description
Logtail Logtail is used by Log Service to collect logs. For more information, see Logtail overview.
Logtail configuration A Logtail configuration is a set of policies that are used by Logtail to collect logs. The configuration includes the log source and collection method. For more information, see Logtail configurations.
machine group A machine group is a virtual group that contains multiple servers. Log Service uses machine groups to manage the servers from which you want to collect logs by using Logtail. For more information, see Introduction.

Data query and analysis

Term Description
query You can configure filter conditions in search statements to obtain specific logs. For more information, see Log search overview.
analysis You can invoke SQL functions on query results to perform statistical and analytical operations. You can also obtain analysis results.
query statement A query statement is in the Search statement | Analytic statement format. A search statement can be separately executed. However, an analytic statement must be executed together with a search statement. The log analysis feature is used to analyze search results or all data in the Logstore. For more information, see Query and analysis.
index Indexes are a structure for storage. Indexes are used to sort one or more columns of data. You can query data only after you create indexes for the data. Log Service provides the following two types of indexes:
  • full-text index: Log Service splits an entire log entry into multiple words based on specific delimiters and creates indexes. In a query, the field names and field values are both plaintext.
  • field index: After you create field indexes, you can query log entries by specifying field names and field values in the key:value format.

For more information, see Configure indexes.

Standard SQL The Standard SQL feature is free of charge. It allows you to analyze data by executing SQL statements. The Standard SQL feature provides less resources than the Dedicated SQL feature.

Data transformation

Term Description
domain-specific language (DSL) DSL is a Python-compatible scripting language. DSL is used for data transformation in Log Service. For more information, see Language introduction.
transformation rule A transformation rule is a data transformation script that is orchestrated by using the DSL for Log Service. For more information, see Syntax introduction.

Consumption and shipping

Term Description
consumer group You can use consumer groups to consume data in Log Service. A consumer group consists of multiple consumers. Each consumer consumes different log entries that are stored in a Logstore. For more information, see Use consumer groups to consume log data.

Alerting

Term Description
alert An alert indicates an alert event. If an alert is triggered based on a specific alert monitoring rule, the event is transferred to the notification management system.

Log Service also provides alert-related features, entities, modules, and subsystems, such as the alert monitoring system and alert monitoring rules.

For more information, see The alerting feature of Log Service.

alert monitoring system The alert monitoring system is a subsystem that triggers alerts. The alert monitoring system contains alert monitoring rules and resource data.

An alert monitoring rule is used to periodically monitor and evaluate query and analysis results. If an alert is triggered or cleared, an alert notification or recovery notification is sent to the alert management system based on monitoring rule orchestration.

alert management system The alert management system is a subsystem that denoises alerts and manages alert states. The alert management system contains alert policies, alert incidents, and alert dashboards.

The alert management system processes alerts based on alert policies. For example, the system can dispatch, suppress, deduplicate, silence, or merge alerts. After the alerts are processed, they are sent to the notification management system. The alert management system also allows you to switch incident phases and set handlers for incidents.

notification management system The notification management system is a subsystem that manages notification methods and recipients. The notification management system contains action policies, alert templates, calendars, users, user groups, on-duty groups, and notification method quotas.

The notification management system sends alert notifications to specified recipients by using specified notification methods based on action policies. Recipients can be users, user groups, or on-duty groups. The notification management system also allows you to escalate alerts and customize alert templates.

alert ingestion system The alert ingestion system is a subsystem that ingests external alerts. The alert ingestion system contains alert ingestion services and alert ingestion applications.

Each alert ingestion application provides a webhook to ingest external alerts from external services, such as Zabbix and Prometheus. Recovery notifications can also be ingested, After an external alert is received, the alert is preprocessed and sent to the alert management system for further processing.