All Products
Search

This Product

    ActionTrail:Advanced event query

    Document Center

    ActionTrail:Advanced event query

    Last Updated:Jun 10, 2026

    ActionTrail retains events for 90 days by default. To query older events, create a trail to deliver them to Simple Log Service (SLS), Object Storage Service (OSS), or MaxCompute for long-term storage. Then use the advanced query feature to search and analyze your complete event history.

    Prerequisites

    Step 1: Create a trail

    Create a single-account trail and deliver events to Simple Log Service.

    Note

    You can also create a multi-account trail or deliver events to OSS or MaxCompute. Create a single-account trail and Create a multi-account trail.

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, click Trails.

    3. In the top navigation bar, select the region for the single-account trail.

      Note

      This region becomes the trail's home region.

    4. On the Trails page, click Create Trail.

    5. On the Create Trail page, configure the trail.

      • In the Basic Information section, set the trail name and the management event type.

        Note

        By default, the trail applies to all regions. We recommend that you set Management Event to All Events to capture all events from all regions. For more information about the parameters, see Create a single-account trail.

      • In the Event Delivery section, configure event delivery to Simple Log Service within the current Alibaba Cloud account.

        Parameter

        Description

        Logstore Region

        The region where the Simple Log Service project is located.

        Project Name

        The name of the project in Simple Log Service.

        Note

        Project names must be globally unique across all Alibaba Cloud accounts.

        • If you select New Log Service Project, ActionTrail creates a project. Enter a project name.

        • If you select Existing Log Service Project, select an existing project in Simple Log Service.

          To create a project in Simple Log Service: Collect and analyze ECS text logs by using Logtail.

    6. Click Confirm.

    Step 2 (Optional): Create a data backfill task

    A trail delivers only events that occur after its creation. To store events from the last 90 days, you must create a data backfill task.

    Note

    To use the data backfill feature, you must submit a ticket to request permissions.

    Create a data backfill task.

    1. In the left-side navigation pane, click Backfill.

    2. In the top navigation bar, select the region for the backfill task.

      Note

      The region must match the trail's home region.

    3. On the Backfill page, click Create Task.

    4. On the Create Task page, select a trail.

      Note

      After you select a trail, the trail region, project region, project name, and Logstore are auto-populated.

    5. Click Confirm.

      After creation, view task details on the Backfill page, including the associated trail, backfill history, delivery status, and timestamps.

    Step 3: Run an advanced query

    1. In the left-side navigation pane, click Trails.

    2. On the Trails page, find the target trail and turn on the switch in the Advanced query column.

    3. On the Default tab of the Custom Template page, set the query conditions.

      • Simple query

        In Simple Mode, set the query conditions as prompted.

      • SQL query

        Turn off the Simple Mode switch and enter your SQL query.

        Note

        • SQL syntax and query examples: SQL syntax for Advanced Event Query.

        • To start from a simple query, set conditions in Simple Mode mode, then turn off the Simple Mode switch. Conditions set in Simple Mode mode are automatically converted into a customizable SQL statement.

    4. Specify a time range and click Run.

      Note

      • By default, ActionTrail queries events from the past seven days.

      • Click Event Alerting on the right to configure an alert for the current query. Create a custom alert rule.

      • Modify the default SQL statement in the system template, then click Save to save it as a custom template.

    5. View the query results.

      • Raw log

        On the Raw Logs tab, find the target event and click View Details in the Actions column to view basic information and JSON details.

      • Histogram

        The Query Histogram tab displays a histogram of the events.

    Next steps

    You can also query or analyze delivered events in these services:

    Related documentation