The quick analysis feature of Log Service allows you to perform a query with a single click. You can use this feature to analyze the distribution of a field over a period of time.
Prerequisites
Indexes are configured for specified fields. The analytics switch is turned on for the fields. For more information, see Enable and configure the index feature for a Logstore.
Features
- Allows you to analyze the first 100,000 log entries that are returned for a query.
Note When you perform a quick analysis during the selected time range, the first 100,000 log entries are returned. If you use a saved search to query all data in a Logstore, you must delete the Limit 100000 clause.
- Groups fields of the TEXT type and provides statistics about the top 10 groups.
- Generates approx_distinct statements for fields of the TEXT type.
- Supports histogram-based statistics about the approximate distribution of fields of the LONG and DOUBLE type.
Histogram-based statistics groups sampling data and calculates the average value of each group.
- Searches for the maximum, minimum, average, or sum of fields of the LONG and DOUBLE type.
- Generates a query statement based on a quick analysis.
Procedure
- On the tab, choose
> Search & Analysis. - On the Raw Log tab, click the icon of the target field in the
column.
- Provide grouping statistics for fields of the TEXT type and approximate distribution histogram-based statistics for fields of the LONG and DOUBLE type. For more information, see TEXT type or LONG and DOUBLE types.
- Provide query statements.
Click the
icon next to the target field. You are redirected to the
Graph tab. In addition, a query statement for grouping statistics is provided in the search box. The following example is a sample query statement:
$Search | select ${keyName} , pv, pv *1.0/sum(pv) over() as percentage from( select count(1) as pv , "${keyName}" from (select "${keyName}" from log limit 100000) group by "${keyName}" order by pv desc) order by pv desc limit 10 - Calculate the number of unique values of a field.
Click Count Distinct Values under the target field in the Quick Analysis column. You can obtain the number of unique values of the
${keyName}field.
TEXT type
The quick analysis feature provides grouping statistics for fields of the TEXT type.
icon next to the target field. The first 100,000 log entries are grouped. The ratios of the top 10 groups are returned. The following example shows a query statement:
$Search | select request_method , pv, pv *1.0/sum(pv) over() as percentage from( select count(1) as pv , "request_method" from (select "request_method" from log limit 100000) group by "request_method" order by pv desc) order by pv desc limit 10
LONG and DOUBLE types
- Display approximate distribution by using histograms
The number of field values of the LONG and DOUBLE types is large. The preceding grouping analytics method is not suitable for the LONG or DOUBLE type. You can use the following statement to assign field values into 10 buckets and display the approximate distribution of the values in a histogram:
$Search | select numeric_histogram(10, ${keyName})The following figure shows the approximate distribution results of the request_time field. This field value distribution shows that most of the request time is distributed around 0.059s.
- Quick analysis by using the Max, Min, Avg, and Sum functions
You can click Max under a field to search for the maximum value, Min to search for the minimum value, Avg to calculate the average value, and Sum to calculate the sum of the values.