This topic describes how to use Log Service to query and analyze application logs in different scenarios, such as log query, association analysis, and statistical analysis.
Background information
- Inconsistent log style. Application developers have different styles when they develop code. The logs that are generated by different applications have inconsistent styles.
- Large data size. The size of application logs is one order of magnitude larger than that of access logs.
- Multiple distributed servers. Most applications are stateless and run on different frameworks, such as Elastic Compute Service (ECS) and Container Service. These applications may be deployed on a few to thousands of instances. Therefore, a cross-server solution for log collection is required.
- Complex runtime environments. Applications are executed in different environments and relevant logs are stored in different environments. For example, application-related logs are stored in containers, API-related logs are stored in Function Compute, old system logs are stored in data centers, mobile app logs are stored in mobile terminals, and website logs are stored in browsers.
To obtain full logs, all application logs must be stored in the same environment. Log Service provides multiple log collection methods and the log analysis feature. You can analyze logs in real time by using the query statements and SQL-92 syntax. You can also visualize the query results on charts. The cost of the solution that is provided by Log Service is only 25% of the cost of open source solutions.
Query application logs
- You can run the following search statement to query the log entries of requests whose
latency is more than 1 second and whose request method starts with Post:
Latency > 1000000 and Method=Post*
- You can run the following search statement to query the log entries whose keywords
include error and exclude merge:
error not merge
Perform an association analysis on application logs
The types of association analysis include the intra-process association analysis and the cross-process association analysis. The two types of association analysis have the following differences:
- Intra-process association analysis: The logs of a process are stored in the same log file. In a multi-threaded process, you can filter logs based on thread IDs.
- Cross-process association analysis: The association between multiple processes are unclear. The processes are associated based on the TracerId parameter. The value of the TraceId parameter is automatically generated when you use a remote procedure call (RPC) to send a request.

- Intra-process association analysis
View the associated logs by using the context query feature. You can query an exception log entry by entering a keyword, and then click Context View to view the log entries that are obtained before and after the exception log entry. For more information, see Context query.The following figure shows the context query results.
- Cross-process association analysis
The cross-process association analysis feature has the same feature as tracing tools such as EagleEye, Dapper, StackDriver Trace, Zipkin, Appdash, and X-ray.
The cross-process analysis feature implements the basic tracing feature based on Log Service. To obtain logs from different Logstores, you can configure log fields that can be associated when you collect logs from different modules, for example, the request_id field and the order_id field.You can use SDKs to query logs that are collected from different modules, such as frontend servers, backend servers, payment systems, and ordering systems. After you obtain the query results, you can create a frontend page to associate the results, as shown in the following figure.
Perform a statistical analysis on application logs
After you obtain the query results, you can also perform a statistical analysis on the obtained logs.
__level__:error | select __file__, __line__, count(*) as c group by __file__, __line__ order by c desc

What to do next
- Back up logs.
You can back up the obtained logs to other cloud services such as Object Storage Service (OSS) and MaxCompute.
- Configure alerts.
You can also use Cloud Monitor to configure alerts for the obtained logs.
- Grant permissions.
You can grant permissions to a RAM user or user group to isolate the development environment and the production environment.