Quick analysis

Features

• Allows you to analyze the first 100,000 log entries that are returned for a query.
  Note When you perform a quick analysis during the selected time range, the first 100,000 log entries are returned. If you use a saved search to query all data in a Logstore, you must delete the Limit 100000 clause.
• Groups fields of the TEXT type and provides statistics about the top 10 groups.
• Generates approx_distinct statements for fields of the TEXT type.
• Supports histogram-based statistics about the approximate distribution of fields of the LONG and DOUBLE type.

  Histogram-based statistics groups sampling data and calculates the average value of each group.

• Searches for the maximum, minimum, average, or sum of fields of the LONG and DOUBLE type.
• Generates a query statement based on a quick analysis.

Procedure

1. Log on to the Log Service console.
2. In the Projects section, click a project.
3. On the Log Management > Logstores tab, choose > Search & Analysis.
4. On the Raw Log tab, click the icon of the target field in the column.
   • Provide grouping statistics for fields of the TEXT type and approximate distribution histogram-based statistics for fields of the LONG and DOUBLE type. For more information, see TEXT type or LONG and DOUBLE types.
   • Provide query statements.
     Click the icon next to the target field. You are redirected to the Graph tab. In addition, a query statement for grouping statistics is provided in the search box. The following example is a sample query statement:

     $Search | select ${keyName} , pv, pv *1.0/sum(pv) over() as percentage from( select count(1) as pv , "${keyName}" from (select "${keyName}" from log limit 100000) group by "${keyName}" order by pv desc) order by pv desc limit 10

   • Calculate the number of unique values of a field.

     Click Count Distinct Values under the target field in the Quick Analysis column. You can obtain the number of unique values of the ${keyName} field.

   

TEXT type

The quick analysis feature provides grouping statistics for fields of the TEXT type.

Click the icon next to the target field. The first 100,000 log entries are grouped. The ratios of the top 10 groups are returned. The following example shows a query statement:

$Search | select request_method , pv, pv *1.0/sum(pv) over() as percentage from( select count(1) as pv , "request_method" from (select "request_method" from log limit 100000) group by "request_method" order by pv desc) order by pv desc limit 10

When you set request_method, you can obtain the following result based on grouping statistics. The GET method is the major request method.

LONG and DOUBLE types

• Display approximate distribution by using histograms
  The number of field values of the LONG and DOUBLE types is large. The preceding grouping analytics method is not suitable for the LONG or DOUBLE type. You can use the following statement to assign field values into 10 buckets and display the approximate distribution of the values in a histogram:

  $Search | select numeric_histogram(10, ${keyName})

  The following figure shows the approximate distribution results of the request_time field. This field value distribution shows that most of the request time is distributed around 0.059s.
• Quick analysis by using the Max, Min, Avg, and Sum functions

  You can click Max under a field to search for the maximum value, Min to search for the minimum value, Avg to calculate the average value, and Sum to calculate the sum of the values.