This topic describes how to query logs in a Logstore. You can query and analyze logs in a Logstore in real time after enabling and configuring the index of the Logstore.

Prerequisites

Procedure

  1. Log on to the Log Service console, and then click the target project name.
  2. Click the Logstore management icon icon next to the name of the Logstore, and then select Search & Analysis.
  3. Enter a query statement in the search box.

    A query statement consists of a search statement and an analytic statement in the format of search statement|analytic statement. For more information, see Query and analysis statement format.

  4. On the Search & Analysis page, click 15 Minutes(Relative) to set the time range for the query.
    You can select a relative time or time frame, or customize a time range.
    Note The query results may contain logs that are obtained one minute earlier or later than the specified time range.
    time
  5. Click Query & Analytics to view the query results.
    Query results
    You can view the query results in a log distribution histogram, raw logs, or statistical graphs displayed on the current page.
    Note By default, 100 results are returned. For information about how to obtain more results, see LIMIT syntax.
    • Log distribution histogram
      The log distribution histogram shows the distribution of queried logs in different time ranges.
      • Move the pointer over a green block to view the time range represented by the block and the number of logs obtained within the time range.
      • Click a data block to view finer-grained log distribution. You can also view the log query results on the Raw Logs tab.
      Log distribution histogram
    • Raw Logs
      On the Raw Logs tab, you can view the logs that match your search conditions.
      • Quick analysis: Use this feature to analyze the distribution of a field within a period of time. For more information, see Quick analysis.
      • Log download: Click the download icon in the upper-right corner of the tab, select a download range, and then click OK.
      • Column settings: Click Column Settings in the upper-right corner of the tab, select fields from the section on the left, and then click Add to add the fields to the section on the right. Then, the columns corresponding to the added fields appear on the tab. The field names are also column names. The columns list the field values.
        Note To view the log content on the tab, you must select Content.
        Column settings
      • Content column settings: If the content of a field exceeds 3,000 characters, excess characters will be hidden. In this case, the message "The character string is too long and has been truncated" will be displayed before the Key field. Click Display Content Column. In the dialog box that appears, set the Key-Value Arrangement and Truncate Character String parameters.
        Note If the content limit is set to 10,000 characters, no delimiter will be specified for excess characters.
        Parameter Description
        Key-Value Pair Arrangement You can set this parameter to New Line or Full Line.
        Truncate Character String Key If a field value contains more than 3,000 characters, the field value is truncated. However, this parameter remains unspecified if no field value exceeds 3,000 characters.

        The value of this parameter is the key of the truncated value.
        Status This parameter determines whether to enable the value truncation feature. By default, the feature is enabled.
        • Enable: If the value in a key-value pair exceeds the specified Truncate Step, the excess characters will be truncated. You can click the Show button at the end of the value to show the truncated characters. The increment per click is the specified truncate step.
        • Disable: If the value in the key-value pair exceeds the specified Truncate Step, the excess characters will not be truncated.
        Truncate step This parameter indicates the maximum number of characters that a field value displays by default. The parameter also indicates the number of additional characters displayed each time you click the Show button.

        Value range: 500 to 10000. Default value: 3000.
        Content column settings
    • Graph
      If you have enabled the analytics in index settings and used search and analytic statements to query logs, you can view the analysis results on the Graph tab.
      • Multiple graph types are provided in Log Service, including tables, line charts, and bar charts. You can select a graph type to show the analysis results as needed. For more information, see Graph description.
        Graphs
      • Log Service allows you to create dashboards for real-time data analysis. For more information, see Create and delete a dashboard. You can click Add to New Dashboard to save your query statements as a chart to a specified dashboard.
        Add the chart to a new dashboard
      • Drill-down analysis allows you to move to deeper data layers, which reveals more detailed information. You can set the drill-down parameters and add the chart to the dashboard. Then, you can click the values in the chart to view the analysis results from more dimensions. For more information, see Configure drill-down analysis for a chart of a Logstore.
        Drill-down analysis

    You can also click Save Search or Save as Alarm on the Search & Analysis page to use the saved search and alarm features. For more information, see Save a query statement as a search and Configure an alert.