This topic describes how to query logs in a Logstore.

Prerequisites

Log search and analytics

  1. Log on to the Log Service console.
  2. On the Search & Analysis page, select 15 Minutes in the Relative section to set the time range for the query.
    You can select a relative time or time frame, or customize a time range.
    Note The query results may contain logs that are generated 1 minute earlier or later than the specified time period.
  3. Enter a query statement in the search box.
    A query statement consists of a search statement and an analytic statement in the format of search statement|analytic statement. For more information, see Query and analysis statement format.
  4. Click Search & Analyze to view the query results.

Manage the query results

You can view the query results in a log distribution histogram, on the Raw Logs tab, or by using a chart. You can also configure alerts and saved searches.
Note By default, 100 results are returned. For information about how to obtain more than 100 results, see LIMIT syntax.
  • Log distribution histogram
    The log distribution histogram shows the distribution of query results in different time ranges.
    • Move the pointer over a green rectangle to view the time range that is represented by the rectangle. You can also view the number of log entries that are obtained within the time range.
    • Click a rectangle to view a more fine-grained log distribution. You can also view the query results on the Raw Logs tab.Log distribution histogram
  • Raw Logs tab
    On the Raw Logs tab, you can view the query results. You can perform the following operations:
    • Quick analysis: analyzes the distribution of a field within a period of time. For more information, see Quick analysis.
    • Contextual query: queries the contextual data of the specified log entries in the raw log file. Choose Query Logs - 004 > Context View. A contextual query is performed. For more information, see Perform a context query.
    • LiveTail: monitors log data in real time and extracts key information. Choose Query Logs - 004 > LiveTail. Log monitoring and extraction are performed. For more information, see Use LiveTail to monitor and analyze logs.
      Note LiveTail can monitor and extract the log data that is collected by Logtail.
    • Key-value pair arrangement: displays log entries in key-value pairs. Choose Query Logs - 004 > Warp/Unwarp Key-value Pairs. Log entries are displayed in key-value pairs.
    • Log download: downloads logs. In the upper-right corner of the Raw Logs tab, click the Download logs icon. In the Log Download dialog box, select a download range and tool, and then click OK. Logs are downloaded. For more information, see Export logs.
    • Column settings: sets fields. In the upper-right corner of the Raw Logs tab, click Column Settings. Select fields from the section on the left. Click Add to add the fields to the section on the right. The columns that correspond to the added fields appear on the Raw Logs tab. The field names are column names. The columns list the field values.
      Note To view the log content on the Raw Logs tab, you must select Content.
      Column settings
    • Content column settings: If the content of a field exceeds 3,000 characters, the excess characters are hidden. In this case, the message The character string is too long and has been truncated is displayed in front of the key value. You can click Display Content Column to modify the configurations.
      Note If the content display limit is set to 10,000 characters, excess characters are not delimited.
      Content column settings

      The following table describes the parameters in the Display Content Column dialog box.

      Parameter Description
      Key-Value Pair Arrangement Valid values: New Line and Full Line.
      Hide Default Key-value Pairs If you turn on this switch, the reserved fields of Log Service are hidden.
      Default JSON Data Level The level of JSON expansion.
      Truncate Character String Key The key of the truncated value. By default, a field value is truncated if it contains more than 3,000 characters. The value of this parameter is null if no field values exceed 3,000 characters.
      Status Specifies whether to enable the value truncation feature. By default, the feature is enabled.
      • Enable: If the value length exceeds the specified truncate step, the excess characters are truncated.
      • Disable: If the value length exceeds the specified truncate step, the excess characters are not truncated.
      Truncate Step Specifies the maximum number of characters that can be displayed for a value. This parameter also specifies the number of incremental characters that are displayed each time you click Show.

      Valid values: 500 to 10000. Default value: 3000.
  • Charts
    If you enable analytics when you configure indexes for fields and use query statements to query logs, you can view the analysis results on the Graph tab.
    • Multiple chart types are provided in Log Service, including tables, line charts, and bar charts. You can select a chart type to display the analysis results. For more information, see Chart overview.
    • Log Service allows you to create dashboards for real-time data analysis. You can click Add to New Dashboard to save your query statements as a chart to a specified dashboard. For more information, see Create and delete a dashboard.
    • Drill-down analysis allows you to view deeper analysis results, which reveal more details. You can set the drill-down parameters and add the chart to a dashboard. Click a chart value to trigger a drill-down event. You can view deeper analysis results. For more information, see Configure drill-down analysis for a chart of a Logstore.
  • Alert

    You can click Save as Alert on the Search & Analysis page to create an alert for the query results. For more information, see Configure an alert.

  • Saved search

    You can also click Save Search on the Search & Analysis page to create a saved search. For more information, see Save a query statement as a saved search.