This topic describes how to use Log Service to query and analyze application logs in different scenarios, such as log query, association analysis, and statistical analysis.

Background information

Application logs include important statistical information about application operation and maintenance. Application logs have the following features:
  • Inconsistent log style. Application developers have different styles when they develop code. The logs that are generated by different applications have inconsistent styles.
  • Large data size. The size of application logs is one order of magnitude larger than that of access logs.
  • Multiple distributed servers. Most applications are stateless and run on different frameworks, such as Elastic Compute Service (ECS) and Container Service. These applications may be deployed on a few to thousands of instances. Therefore, a cross-server solution for log collection is required.
  • Complex runtime environments. Applications are executed in different environments and relevant logs are stored in different environments. For example, application-related logs are stored in containers, API-related logs are stored in Function Compute, old system logs are stored in data centers, mobile app logs are stored in mobile terminals, and website logs are stored in browsers.

To obtain full logs, all application logs must be stored in the same environment. Log Service provides multiple log collection methods and the log analysis feature. You can analyze logs in real time by using the query statements and SQL-92 syntax. You can also visualize the query results on charts. The cost of the solution that is provided by Log Service is only 25% of the cost of open source solutions.

Query application logs

In this example, an order error or request latency occurs when an application is used. You can use search statements to locate the issue in logs that contain terabytes of data within 1 second. To obtain a precise query result, you can specify a time range and keywords based on your business requirements.
  • You can run the following search statement to query the log entries of requests whose latency is more than 1 second and whose request method starts with Post: 
    Latency > 1000000 and Method=Post*
  • You can run the following search statement to query the log entries whose keywords include error and exclude merge:
    error not merge

Perform an association analysis on application logs

The types of association analysis include the intra-process association analysis and the cross-process association analysis. The two types of association analysis have the following differences:

  • Intra-process association analysis: The logs of a process are stored in the same log file. In a multi-threaded process, you can filter logs based on thread IDs.
  • Cross-process association analysis: The association between multiple processes are unclear. The processes are associated based on the TracerId parameter. The value of the TraceId parameter is automatically generated when you use a remote procedure call (RPC) to send a request.
Association analysis
  • Intra-process association analysis
    View the associated logs by using the context query feature. You can query an exception log entry by entering a keyword, and then click Context View to view the log entries that are obtained before and after the exception log entry. For more information, see Context query. Context view
    The following figure shows the context query results. Context query
  • Cross-process association analysis

    The cross-process association analysis feature has the same feature as tracing tools such as EagleEye, Dapper, StackDriver Trace, Zipkin, Appdash, and X-ray.

    The cross-process analysis feature implements the basic tracing feature based on Log Service. To obtain logs from different Logstores, you can configure log fields that can be associated when you collect logs from different modules, for example, the request_id field and the order_id field. Associated logs
    You can use SDKs to query logs that are collected from different modules, such as frontend servers, backend servers, payment systems, and ordering systems. After you obtain the query results, you can create a frontend page to associate the results, as shown in the following figure. Tracing system

Perform a statistical analysis on application logs

After you obtain the query results, you can also perform a statistical analysis on the obtained logs.

You can run the following query statement to view the statistics of all error types and the distribution of all error locations: 
__level__:error | select __file__, __line__, count(*) as c group by __file__, __line__ order by c desc
Error types and locations

What to do next

  • Back up logs.

    You can back up the obtained logs to other cloud services such as Object Storage Service (OSS) and MaxCompute.

  • Configure alerts.

    You can also use Cloud Monitor to configure alerts for the obtained logs.

  • Grant permissions.

    You can grant permissions to a RAM user or user group to isolate the development environment and the production environment.