Log Service provides the log analysis feature. This feature allows you to search for log data and use SQL functions to analyze the data. This topic describes the syntax and limits of the analytic statements. This topic also provides SQL functions that you can call when you use the log analysis feature.

Note
  • To use the log analysis feature, you must turn on the Enable Analytics switch when you configure indexes for log fields. For more information, see Configure indexes. If you turn on the Enable Analytics switch, you can analyze log data free of charge.
  • Log Service provides reserved fields. For information about how to analyze reserved fields, see Reserved fields.

Syntax

Each query statement consists of a search statement and an analytic statement. The search statement and analytic statement are separated by a vertical bar (|). A search statement can be executed alone. However, an analytic statement must be executed together with a search statement. Log analysis is based on search results or all data in the Logstore.
Note
  • You do not need to specify the FROM or WHERE clause in an analytic statement. By default, all data of the current Logstore is analyzed.
  • You do not need to add a semicolon at the end of an analytic statement to end the statement.
  • Analytic statements are case-insensitive.
  • Syntax 
    Search statement|Analytic statement
    Statement Description
    Search statement A search statement specifies one or more search conditions. A condition can be a keyword, a value, a value range, a space character, or an asterisk (*).

    If you leave the search statement unspecified or specify an asterisk (*) as the search statement, it indicates that no condition is specified and all log data is returned. For more information, see Search syntax.

    Analytic statement An analytic statement is used to aggregate or analyze search results or all data in a Logstore.
  • Example 
    * | SELECT status, count(*) AS PV GROUP BY status

Limits

Item Standard instance
Number of concurrent analytic statements Each project supports a maximum of 15 concurrent analytic statements at a time.

For example, 15 users can execute analytic statements in all Logstores of a project at the same time.

Data volume Each shard supports only 1 GB of data for a single analytic statement.
Method to enable Standard instances are enabled by default.
Resource usage fee Free of charge.
Applicable scope You can analyze only the data that is written to Log Service after the log analysis feature is enabled.

If you want to analyze historical data, you must re-index the historical data. For more information, see Reindex logs for a Logstore.

Returned result After you execute an analytic statement, a maximum of 100 rows of data are returned by default.

If you require more data, use the LIMIT clause. For more information, see LIMIT syntax.

Size of a field value The maximum size of a field value is 16 KB. If the size of a field value exceeds 16 KB, the excess content is not analyzed.
Timeout period The maximum timeout period for a single analytic statement is 55 seconds.
Number of digits that consists of a field value of the double type Each field value of the double type consists of a maximum of 52 digits.

If the number of digits is greater than 52, the accuracy of the field value is compromised.

Analytic functions and syntax

This section lists the Analytic functions and syntax that Log Service supports.

Sample analysis results

The following figure shows a sample dashboard that visualizes the analysis results.

Analysis results