Indexes are used in a storage structure to sort one or more columns of log data. You can query and analyze log data only after you configure indexes. Query and analysis results vary based on index configurations. Therefore, you must configure indexes based on your business requirements. If you configure both full-text indexes and field indexes, the configurations of the field indexes take precedence.

Prerequisites

Logs are collected. For more information, see Log collection methods.
Notice
  • After you enable the indexing feature, you are charged for the index traffic and storage space occupied by indexes. For more information, see Billable items.
  • The indexing feature takes effect only on the log data that is written after you configure indexes. If you want to query and analyze historical data, you must use the reindexing feature. For more information, see Reindex logs for a Logstore.
  • By default, indexes are configured for specific reserved fields in Log Service. For more information, see Reserved fields. No delimiters are specified for the indexes of the __topic__ and __source__ fields. When you search for the fields, only exact match is supported.

Index types

The following table describes the index types supported by Log Service.

Index type Description
Full-text index Log Service splits an entire log into multiple words based on specified delimiters to create indexes. In a search statement, the field names (keys) and field values (values) are both plain text. For example, the search statement error returns the logs that contain the keyword error.
Field index After you configure field indexes, you can specify field names and field values in the Key:Value format to search for logs. For example, the search statement level:error returns the logs whose level field value contains error.

If you want to use the analysis feature, you must configure field indexes and turn on Enable Analytics for the required fields. The analysis feature does not generate index traffic or occupy storage space.

Configure full-text indexes

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you want to view.
  3. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  4. On the page that appears, choose Index Attributes > Attributes.
    If the indexing feature is not enabled, click Enable.
  5. Configure indexes.
    Parameter Description
    LogReduce If you turn on LogReduce, Log Service automatically aggregates text logs that have the same pattern during log collection. This way, you can obtain the overall information about logs. For more information, see LogReduce.
    Full Text Index If you turn on Full Text Index, the full-text indexing feature is enabled.
    Case Sensitive Specifies whether searches are case-sensitive.
    • If you turn on Case Sensitive, searches are case-sensitive. For example, if a log contains internalError, you can search for the log only by using the keyword internalError.
    • If you turn off Case Sensitive, searches are not case-sensitive. For example, if a log contains internalError, you can search for the log by using the keyword INTERNALERROR or internalerror.
    Include Chinese Specifies whether to distinguish between Chinese content and English content in searches.
    • After you turn on Include Chinese, if a log contains Chinese characters, the Chinese content is split based on the Chinese grammar. The English content is split based on specified delimiters.
      Notice When the Chinese content is split, the write speed is reduced. Proceed with caution.
    • If you turn off Include Chinese, all the content in a log is split based on specified delimiters.
    Delimiter The delimiters that are used to split the content of a log into multiple words. Supported delimiters include , '";=()[]{}?@&<>/:\n\t\r. \n indicates a line feed, \t indicates a tab character, and \r indicates a carriage return.
    For example, the content of a log is /url/pic/abc.gif.
    • If you do not specify a delimiter, the log is regarded as a single word /url/pic/abc.gif. You can search for the log only by using the keyword /url/pic/abc.gif or by using /url/pic/* to perform a fuzzy search.
    • If you set the delimiter to a forward slash (/), the content of the log is split into the following three words: url, pic, and abc.gif. You can search for the log by using the keyword url, abc.gif, or /url/pic/abc.gif, or by using pi* to perform a fuzzy search.
    • If you set the delimiter to a forward slash (/) and a period (.), the content of the log is split into the following four words: url, pic, abc, and gif.
  6. If you want to modify the maximum length of a field value, specify the Maximum Statistics Field Length parameter.
    Valid values: 64 to 16384. Unit: bytes Default value: 2048, which is equal to 2 KB.
    Notice If the length of a field value exceeds the value of this parameter, the field value is truncated, and the excess part is not involved in analysis.
  7. Click OK.
    The index configurations take effect within 1 minute.

Configure field indexes

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you want to view.
  3. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  4. On the page that appears, choose Index Attributes > Attributes.
    If the indexing feature is not enabled, click Enable.
  5. In the Search & Analysis panel, configure indexes.
    Parameter Description
    Key Name The name of the log field. Example: client_ip.
    Note
    • If you configure an index for a tag field, you must set the Key Name parameter in the __tag__:KEY format. For example, you can set the parameter to __tag__:__receive_time__. Different tag fields are supported. For example, a tag field can indicate a public IP address or a UNIX timestamp. For more information, see Reserved fields.
    • When you configure an index for a tag field, numeric data types are not supported. You must set the Type parameter for each tag field to text.
    Type The data type of the log field value. Valid values: text, long, double, and json. For more information, see Data types.
    Note If a field is of the long or double type, you cannot configure the Case Sensitive, Include Chinese, or Delimiter parameter.
    Alias The alias of the field. Example: ip.

    An alias is used only in analytic statements. You must use the original field name in search statements. For more information, see Column aliases.

    Case Sensitive Specifies whether searches are case-sensitive.
    • If you turn on Case Sensitive, searches are case-sensitive. For example, if a log contains internalError, you can search for the log only by using the keyword internalError.
    • If you turn off Case Sensitive, searches are not case-sensitive. For example, if a log contains internalError, you can search for the log by using the keyword INTERNALERROR or internalerror.
    Delimiter The delimiters that are used to split the content of a log into multiple words. Supported delimiters include , '";=()[]{}?@&<>/:\n\t\r. \n indicates a line feed, \t indicates a tab character, and \r indicates a carriage return.
    For example, the content of a log is /url/pic/abc.gif.
    • If you do not specify a delimiter, the log is regarded as a single word /url/pic/abc.gif. You can search for the log only by using the keyword /url/pic/abc.gif or by using /url/pic/* to perform a fuzzy search.
    • If you set the delimiter to a forward slash (/), the content of the log is split into the following three words: url, pic, and abc.gif. You can search for the log by using the keyword url, abc.gif, or /url/pic/abc.gif, or by using pi* to perform a fuzzy search.
    • If you set the delimiter to a forward slash (/) and a period (.), the content of the log is split into the following four words: url, pic, abc, and gif.
    Include Chinese Specifies whether to distinguish between Chinese content and English content in searches.
    • After you turn on Include Chinese, if a log contains Chinese characters, the Chinese content is split based on the Chinese grammar. The English content is split based on specified delimiters.
      Notice When the Chinese content is split, the write speed is reduced. Proceed with caution.
    • If you turn off Include Chinese, all the content in a log is split based on specified delimiters.
    Enable Analytics Before you can use the analysis feature, you must turn on Enable Analytics.
  6. If you want to modify the maximum length of a field value, specify the Maximum Statistics Field Length parameter.
    Valid values: 64 to 16384. Unit: bytes Default value: 2048, which is equal to 2 KB.
    Notice If the length of a field value exceeds the value of this parameter, the field value is truncated, and the excess part is not involved in analysis.
  7. Click OK.
    The index configurations take effect within 1 minute.