Query logs - Elasticsearch Instances Management| Alibaba Cloud Documentation Center

Query logs

Edit in GitHub

Last Updated: Oct 28, 2020 Edit in GitHub

Alibaba Cloud Elasticsearch provides the logs of your Elasticsearch cluster. You can view the logs on the Logs page of the Elasticsearch console. This page contains the following tabs: Cluster Log, Search Slow Log, Indexing Slow Log, GC Log, Access Log, and Asynchronous Write Log. You can enter a keyword and specify a time range to search for specific log entries. This topic describes how to query logs and configure slow logs.

Background information

You can query log entries from a maximum of seven consecutive days. By default, the log entries are displayed by time in descending order. The Lucene query syntax is supported. For more information, see Query string syntax.

Note

Alibaba Cloud Elasticsearch can return a maximum of 10,000 log entries for each query. If the returned log entries do not contain the expected log data, you can specify a time range when you query the log data.
The Access Log tab is displayed only for Elasticsearch V6.7.0 clusters of the Standard Edition that use the latest kernel. For more information how to update a kernel, see Update the kernel of a cluster.

Procedure

The following example demonstrates how to search for the log entries of an Elasticsearch cluster. The log entries meet the following conditions: the content field contains the health keyword, the level field is info, and the host field is 172.16.xx.xx.

Log on to the Alibaba Cloud Elasticsearch console.
In the top navigation bar, select the region where your cluster resides.
In the left-side navigation pane, click Elasticsearch Clusters. On the page that appears, find the target cluster and click its ID in the Cluster ID/Name column.
In the left-side navigation pane of the page that appears, click Logs.
On the Cluster Log tab, enter a query string in the search bar.
In this example, the query string is host:172.16.xx.xx AND content:health AND level:info.

Notice AND in the query string must be uppercase.

Select a start time and an end time, and click Search.

Notice

If you do not select an end time, the current system time is specified as the end time.
If you do not select a start time, the default start time is one hour earlier than the end time.

After you click Search, Elasticsearch returns the log entries that match your query string and displays them on the Logs page. The returned log data contains the following information: Time, Node IP, and Content. Log query results

Time: the time when the log entry was generated.
Node IP: the IP address of the node in your Elasticsearch cluster.

Content: consists of level, host, time, and content.


Field	Description
level	The level of the log entry. Log entry levels include trace, debug, info, warn, and error. A GC log entry does not contain the `level` field.
host	The IP address of the node that generates the log entry.
time	The time when the log entry was generated.
content	The content of the log entry.

Configure slow logs

Elasticsearch logs only read and write operations that require 5s to 10s to complete as slow logs. This mechanism does not help identify issues such as unbalanced loads, read and write exceptions, or slow data processing. After you create an Elasticsearch cluster, log on to the Kibana console of the cluster and run the following command to reduce the timestamp precision of log entries. Then, you can capture more logs.

Note For more information about how to log on to the Kibana console, see Log on to the Kibana console.

PUT _settings
{
        "index.indexing.slowlog.threshold.index.debug" : "10ms",
        "index.indexing.slowlog.threshold.index.info" : "50ms",
        "index.indexing.slowlog.threshold.index.warn" : "100ms",
        "index.search.slowlog.threshold.fetch.debug" : "100ms",
        "index.search.slowlog.threshold.fetch.info" : "200ms",
        "index.search.slowlog.threshold.fetch.warn" : "500ms",
        "index.search.slowlog.threshold.query.debug" : "100ms",
        "index.search.slowlog.threshold.query.info" : "200ms",
        "index.search.slowlog.threshold.query.warn" : "1s"
}

After the configuration is completed, if the time to run a read or write task is exceeded, you can query the related logs on the Logs page of your cluster.

References

ListSearchLog