Query logs - Elasticsearch Instances Management| Alibaba Cloud Documentation Center

Query logs

Edit in GitHub

Last Updated: Jun 01, 2020 Edit in GitHub

This topic describes how to query logs of your Alibaba Cloud Elasticsearch cluster on the Cluster Log, Search Slow Log, Indexing Slow Log, and GC Log tabs of the Logs page. You can enter a keyword and set a time range to search for specific log entries.

Background information

You can query log entries of up to seven consecutive days. By default, the log entries are displayed by time in descending order. The Lucene query syntax is supported. For more information, see Query string syntax.

Note Each query returns up to 10,000 log entries. If the returned log entries do not contain the expected log data, you can specify a time range when you query the log data.

Procedure

This example searches the Elasticsearch cluster log. Log entries are returned if they meet all of these conditions: the content field contains the health keyword, the level field is info, and the host field is 172.16.xx.xx.

Log on to the Alibaba Cloud Elasticsearch console.
In the top navigation bar, select the region where your Alibaba Cloud Elasticsearch cluster resides.
Find the target cluster and click its ID.
In the left-side navigation pane of the cluster details page, click Logs.
On the Logs page, click the Cluster Log tab.
Enter the query string in the search bar.

In this example, the query string is host:172.16.xx.xx AND content:health AND level:info.

Notice AND in the query string must be in uppercase.

Specify a time range and click Search.

Notice

If you do not select an end time, the current system time is specified.
If you do not select a start time, the default start time is the time that is one hour earlier than the end time.

After you click Search, Elasticsearch returns the log entries that match your query string and displays them on the Logs page. The returned log data contains the following information: Time, Node IP, and Content. Log query results

Time: the time when the log entry was generated.
Node IP: the IP address of the node in your Elasticsearch cluster.

Content: includes level, host, time, and content.


Field	Description
`level`	The level of the log entry. Log levels include trace, debug, info, warn, and error. A GC log does not contain the `level` field.
`host`	The IP address of the node in your Elasticsearch cluster. To query the IP address of the node, log on to the Kibana console, click Monitoring in the left-side navigation pane, and then click Nodes in the Elasticsearch section. Note For more information about how to log on to the Kibana console, see Log on to the Kibana console.
`time`	The time when the log entry was generated.
`content`	The content of the log entry.

Configure slow logs

Elasticsearch logs only read and write operations that take between 5 to 10 seconds to complete as slow logs. This mechanism does not help identify problems, such as unbalanced loads, read and write exceptions, and slow data processing. After you create an Elasticsearch cluster, log on to the Kibana console and run the following command to reduce the timestamp precision of the log entry for capturing more logs:

Note For more information about how to log on to the Kibana console, see Log on to the Kibana console.

PUT _settings
{
        "index.indexing.slowlog.threshold.index.debug" : "10ms",
        "index.indexing.slowlog.threshold.index.info" : "50ms",
        "index.indexing.slowlog.threshold.index.warn" : "100ms",
        "index.search.slowlog.threshold.fetch.debug" : "100ms",
        "index.search.slowlog.threshold.fetch.info" : "200ms",
        "index.search.slowlog.threshold.fetch.warn" : "500ms",
        "index.search.slowlog.threshold.query.debug" : "100ms",
        "index.search.slowlog.threshold.query.info" : "200ms",
        "index.search.slowlog.threshold.query.warn" : "1s"
}

After the configuration is complete, if the time to run a read or write task is exceeded, you can query related logs on the Logs page of your cluster.