Log Service allows you to search billions to hundreds of billions of logs in seconds.
Syntax
Each query statement consists of a search statement and an analytic statement. The search statement and the analytic statement are separated with a vertical bar (|). The syntax of search statements is used only in Log Service. For more information, see Search syntax.
Important
- A search statement can be executed alone. However, an analytic statement must be executed together with a search statement. You can use the log analysis feature to analyze the data in search results. You can also use the feature to analyze all data in a Logstore.
- If you want to search tens of billions of logs, you can repeatedly execute a search statement up to 10 times to obtain the complete result. For more information, see What can I do if the "The results are inaccurate" error occurs?.
- Syntax
Search statementAnalytic statementStatement Description Search statement A search statement specifies one or more search conditions and returns the logs that meet the specified conditions. A search statement can be a keyword, a numeric value, a numeric value range, a space, or an asterisk (*). If you specify a space or an asterisk (*) as the search statement, no conditions are used for searching, and all logs are returned. For more information, see Search syntax.
Analytic statement An analytic statement is used to aggregate and compute the data in search results or all data in a Logstore. For more information, see Log analysis overview. - Example
* | SELECT status, count(*) AS PV GROUP BY status
Limits
| Item | Description | Remarks |
|---|---|---|
| Number of keywords | The number of keywords that are used as search conditions. The number of logical operators is not included. You can specify up to 30 keywords in a search statement. | None |
| Size of a field value | The maximum size of a field value is 10 KB. The excess part is not involved in searching. | If the size of a field value is greater than 10 KB, logs may fail to be obtained by using keywords, but the logs are actually stored in the Logstore. |
| Maximum number of concurrent search statements | Each project supports up to 100 concurrent search statements. | For example, 100 users can concurrently execute search statements in all Logstores of a project. |
| Returned result | The returned logs are displayed on multiple pages. Each page displays up to 100 logs. | None |
| Maximum size of a log | Log Service performs the Document Object Model (DOM) operation only on the first 10,000 characters of a log due to browser performance limits. | If a log contains more than 10,000 characters, the following message appears in the Log Service console: The log contains log data of more than 10,000 characters, and some display will be downgraded. |
| Fuzzy search | In a fuzzy search, Log Service matches up to 100 words that meet the specified conditions and returns the logs that meet the search conditions and contain one or more of these words. For more information, see Fuzzy search. | None |
| Data sorting in search results | By default, search results are displayed in descending order of time, which is accurate to minutes. | None |
Operation methods
Important Before you search logs, make sure that logs are collected and indexes are created. Indexes are used in a storage structure to sort one or more columns of log data. For more information, see Create indexes.
- Use the Log Service console
Log on to the Log Service console. On the Search & Analyze page of a Logstore, execute a search statement. For more information, see Query and analyze logs.
- Call API operations
Call the GetLogs or GetHistograms operation to search logs.