Search syntax and examples - Simple Log Service - Alibaba Cloud Documentation Center

Simple Log Service (SLS) lets you execute search statements to query logs stored in a logstore. The search results can be used independently or as input for analytic statements to perform complex data analysis.

Prerequisite

Indexes have been created.

Basic syntax

The search statement and analytic statement are separated with a vertical bar (|). Example:

* | SELECT status, count(*) AS PV GROUP BY status

Statement

Description

Search statement

A search statement specifies one or more search conditions. A search statement, which can be a keyword, a numeric value, a range, or an asterisk (*), specifies the search conditions. Specifying a space or an asterisk (*) matches all logs.

Important

Specify up to 30 search conditions in a search statement.

Analytic statement

Important

You do not need to specify the FROM or WHERE clause in an analytic statement. By default, all data of the current logstore is analyzed. Analytic statements are case-insensitive, do not support offsets, and do not require a trailing semicolon (;).

An analytic statement is used to aggregate or analyze data in the search results or all data in a logstore. For more information about the functions and syntax supported by SLS for analyzing logs, see the following topics:

Writing process of search statements

To write a search statement, perform the following steps:

Step 1: Select a search type

Important

Query and analysis results vary based on index configurations. If you create full-text indexes and field indexes, the field indexes take precedence.

Searches are classified into full-text searches and field-specific searches based on the index type. The following list describes the differences between full-text searches and field-specific searches:

If you create only full-text indexes for your logstore, use only the full-text search syntax to specify query conditions.
If you create field indexes for your logstore, the search syntax varies based on the data types of fields.
- double and long: Use only the field-specific search syntax to specify query conditions.
- text: If the associated field of a keyword is known and field indexes are created, use the field-specific search syntax for query conditions. If the associated field is unknown, use the full-text search syntax.
  - If full-text indexing is disabled, only full-text searches can be performed on fields that have text indexing enabled individually.
  - If full-text indexes are created, query data from all fields, with all indexed data being of the text type.

Full-text search

Data cannot be queried from a specific field using the full-text search syntax. Full-text search syntax: keywords1 [ [ and | or | not ] keywords2 ] ....

Keywords1 specifies the keyword for querying data. Asterisks (*) and question marks (?) can also be used for fuzzy matching. To combine query conditions, use operators such as and and or.

Example 1
Query logs that contain the GET keyword. Search syntax: GET.
Example 2
Query logs that contain the GET or POST keyword. Search syntax: GET or POST.
Example 3
Query logs that start with Jo, such as Joe and Jon. Search syntax: Jo?.

Field-specific search

When fields are indexed, perform type-specific operations, such as numeric comparisons and regular expression matching.

Important

indexname1 specifies the name of the field from which you want to query data. If a proper noun such as a field name or table name contains special characters such as spaces and Chinese characters or syntax keywords such as and and or, you must enclose the proper noun in double quotation marks (""). For more information, see How do I use quotation marks in query statements?
If indexes are created for fields of the long or double type, use the following comparison operators: >, >=, <, <=, =, and in.

Search syntax

indexname1 [ : | > | >= | < | <= | = | in ] keyword1 [ [ and | or | not ] indexname2 ... ]

Example 1
Query logs whose request_method field value is GET. Search syntax: request_method: GET.
Example 2
Query logs whose request_time_msec field value is greater than 50. Search syntax: request_time_msec>50. The request_time_msec field is of the double type.
Example 3
Query logs whose request_method field value is GET and request_time_msec field value is greater than 50. Search syntax: request_method: GET and request_time_msec>50.

Step 2: Select a field data type

When writing a search statement, consider the field data types and use the correct operators to efficiently and accurately obtain logs.

Field data types

Field data type	Description	Supported operator
text	Query data of the string type by setting the data types of related fields to text. By default, if you enable full-text indexing, the data types of all fields in a log except the `__time__` field are set to text.	`and`, `or`, `not`, `()`, `:`, `""`, `\`, `*`, and `?`.
long or double	Query the value of a field by using a numeric range only if you set the data type of the field to long or double. If you do not set the data type of a field to double or long or the syntax of the numeric range is invalid, SLS performs a full-text search and the search result may be different from the expected result. For example, if you execute the `owner_id>100` search statement and the data type of the `owner_id` field is not double or long, logs that contain `owner_id`, `>`, and `100` are returned. In this example, the greater-than sign (>) is not a delimiter. If you change the data type of a field from text to double or long, use only the equal-to sign (`=`) to query data. If you want to use ranges and comparison operators such as the greater-than (>) and less-than (<) signs to query data, you must reindex the data. For more information, see Reindex logs for a logstore.	`and`, `or`, `not`, `()`, `>`. `>=`, `<`, `<=`, `=`, and `in`.
json	Set the data type of a field in JSON objects to long, double, or text based on the field value, and turn on Enable Analytics for the field.	Specify operators based on the data types of the fields in JSON objects.

Operators

Important

The letters of the in operator must be in lowercase. Other operators are not case-sensitive.
SLS supports the following operators: sort, asc, desc, group by, avg, sum, min, max, and limit. If you want to use these operators as keywords, you must enclose the operators in double quotation marks ("").
The following operators are listed in descending order of priority:
1. Colons (:)
2. Double quotation marks ("")
3. Parentheses ()
4. and and not
5. or

Operator	Description
`:`	This operator is used for field-specific searches based on the key:value format. Example: `request_method:GET`. If a field name or field value contains special characters such as spaces, colons (:), and hyphens (-), you must enclose the field name or field value in double quotation marks (""). Example: `"file info":apsara`.
`and`	The `and` operator. Example: `request_method:GET and status:200`. If multiple keywords are specified without an explicit operator, they are implicitly joined by `and`. For example, `GET 200 cn-shanghai` is equivalent to `GET and 200 and cn-shanghai`.
`or`	The `or` operator. Example: `request_method:GET or status:200`.
`not`	The `not` operator. Example: `request_method:GET not status:200` or `not status:200`.
`( )`	This operator is used to increase the priority of the query conditions that are enclosed in parentheses (). Example: `(request_method:GET or request_method:POST) and status:200`.
`""`	This operator is used to enclose a syntax keyword. If a syntax keyword is enclosed in double quotation marks (""), the keyword is treated as a literal string rather than an operator. In a field-specific search, the words that are enclosed in double quotation marks (`""`) are considered as a whole. If a field name or field value contains special characters such as spaces, Chinese characters, colons (`:`), and hyphens (`-`) or syntax keywords such as `and` and `or`, you must enclose the field name or field value in double quotation marks (`""`). For example, `"and"` returns logs containing the word "and", treating it as a term rather than an operator. SLS supports the following operators: `sort`, `asc`, `desc`, `group by`, `avg`, `sum`, `min`, `max`, and `limit`. If you want to use these operators as keywords, you must enclose the operators in double quotation marks (`""`). If a log is processed by using the data transformation feature or a Logtail plug-in, the key in the __tag__:__client_ip__ field is converted to a common key. If you want to search for the log, you must enclose the name of the __tag__:__client_ip__ field in double quotation marks (`""`) in the search statement. Example: `"__tag__:__client_ip__":192.0.2.1`. The `__tag__:__client_ip__` field is a reserved field in SLS. The field indicates the IP address of the host from which logs are collected. For more information, see Reserved fields.
`\`	The escape character. This character is used to escape double quotation marks (`""`). Double quotation marks ("") can indicate themselves only after they are escaped. For example, if the content of a log is `instance_id:nginx"01"`, execute the `instance_id:nginx\"01\"` statement to search for the log.
`*`	The wildcard character, which is used to match zero or more characters. Example: `host:wwwcom`. Note* For performance, wildcard searches do not scan all data. Instead, SLS first finds up to 100 matching terms from the index dictionary and then returns logs containing any of those terms.
`?`	The wildcard character, which is used to match a single character. Example: `host:aliyund?c`.
`>`	This operator is used to query the logs in which the value of a field is greater than a specific numeric value. Example: `request_time>100`.
`>=`	This operator is used to query the logs in which the value of a field is greater than or equal to a specific numeric value. Example: `request_time>=100`.
`<`	This operator is used to query the logs in which the value of a field is less than a specific numeric value. Example: `request_time<100`.
`<=`	This operator is used to query the logs in which the value of a field is less than or equal to a specific numeric value. Example: `request_time<=100`.
`=`	This operator is used to query the logs in which the value of a field is equal to a specific numeric value. Equal-signs (`=`) and colons (`:`) have the same effect on fields of the double or long type. For example, `request_time=100` is equivalent to `request_time:100`.
`in`	This operator is used to query the logs in which the value of a field is within a specific numeric range. Brackets [] indicate a closed interval, and parentheses () indicate an open interval. A space is used to separate two numbers in a numeric range. Example: `request_time in [100 200]` or `request_time in (100 200]`. Important The letters of the in operator must be in lowercase.
`__source__`	This operator is used to query the logs of a specific log source. Wildcard characters are supported. Example: `__source__:192.0.2.`. Important* The __source__ field is a reserved field in SLS. This field can be abbreviated to source. If you configure a custom source field, the custom field conflicts with the reserved source field in SLS. If you want to search for the custom field, you must use Source or SOURCE in the search statement.
`__tag__`	This operator is used to query logs by using metadata. Example: `__tag__:__receive_time__:1609837139`.
`__topic__`	This operator is used to query the logs of a specific log topic. Example: `__topic__:nginx_access_log`.

Step 3: Select a match mode

Use exact searches or fuzzy searches based on keywords and your business requirements.

Search type

Description

Example

Exact search

Complete words are used for searches.

SLS uses word segmentation to query logs. In an exact search, phrases cannot be completely matched. For example, the abc def search statement returns the logs that contain abc and def. The phrase abc def cannot be completely matched. If you want the abc def phrase to be completely matched, perform a phrase search or use a LIKE clause. For more information, see Phrase search and How do I query logs by using exact match?

host:example.com: returns the logs in which the host field value contains example.com.
PUT and cn-shanghai: returns the logs that contain the PUT and cn-shanghai keywords.
* | Select * where http_user_agent like '%like Gecko%': returns the logs in which the http_user_agent field value contains the like Gecko phrase.
#"redo_index/1": returns the logs that contain the redo_index/1 phrase.

Fuzzy search

Add an asterisk (*) or a question mark (?) as a wildcard character to the middle or end of a word in a search statement when you perform a fuzzy search. The word must be 1 to 64 characters in length. If a word contains a wildcard character, SLS searches all logs to query 100 words that match the word. Then, SLS returns the logs that contain one or more of the words. If you specify more accurate words, the search result is more accurate.

Important

An asterisk (*) or question mark (?) cannot be added at the beginning of a word.
The long and double data types do not support asterisks (*) or question marks (?) in fuzzy searches. Specify a numeric range to perform a fuzzy search. Example: status in [200 299].

A fuzzy search is a sample query that uses the following mechanism:

If you enable the field indexing feature and specify a field to query logs, SLS obtains random samples from the indexed data of the field and returns results. SLS does not perform full-text scans.
If you enable the full-text indexing feature and do not specify a field to query logs, SLS obtains random samples from the indexed data of all fields and returns results. SLS does not perform full-text scans.

request_time>60 and request_method:Ge*: returns the logs in which the request_time field value is greater than 60 and the request_method field value starts with Ge.
addr*: queries 100 words that start with addr in all logs and returns the logs that contain one or more of the words.
host:www.yl*: queries 100 words that start with www.yl in the host field values of all logs and returns the logs that contain one or more of the words.

For more information, see How do I query logs by using fuzzy match?

Examples of search statements

If you execute a search statement on different logs based on different index configurations, the statement returns different results. The examples provided in this section are based on the following sample log and index configurations.

text, double and long types

Sample log

An NGINX access log is used as the sample log.

日志样例

Index configurations

Create indexes before executing a search statement. To check index configurations, perform the following steps:

On the query and analysis page of a logstore, choose Index Attributes > Attributes.
In the Search & Analysis panel, check whether field indexes are configured.

Common search examples

Expected search result	Search statement	Debugging
Logs that record successful GET requests (status codes: 200 to 299).	`request_method:GET and status in [200 299]`	Debugging
Logs for GET requests not originating from the China (Hangzhou) region.	`request_method:GET not region:cn-hangzhou`	None
Logs that record GET requests or POST requests.	`request_method:GET or request_method:POST`	Debugging
Logs that do not record GET requests.	`not request_method:GET`	Debugging
Logs that record successful GET or POST requests.	`(request_method:GET or request_method:POST) and status in [200 299]`	Debugging
Logs that record failed GET or POST requests.	`(request_method:GET or request_method:POST) not status in [200 299]`	Debugging
Logs that record successful GET requests (status codes: 200 to 299) and in which the request duration is less than 60 seconds.	`request_method:GET and status in [200 299] not request_time>=60`	Debugging
Logs in which the request duration is equal to 60 seconds.	`request_time:60`	Debugging
Logs in which the request duration is equal to 60 seconds.	`request_time=60`	Debugging
Logs in which the request duration is greater than or equal to 60 seconds and is less than 200 seconds.	`request_time>=60 and request_time<200`	Debugging
	`request_time in [60 200)`	Debugging
Whether the request_time field exists.	`request_time:*`	Debugging
Logs in which the request_time field is empty or the field value is an invalid number.	`(request_time:"") or (not request_time > -10000000000)`	Debugging
Logs that contain the request_time field and in which the field value is a number.	`request_time > -1000000000`	Debugging
Logs that contain and.	`"and"` Note The word `and` is treated as a literal string, not an operator.	Debugging
Logs in which the request method field value is PUT.	`"request method":PUT` Important The name of the request method field contains spaces. You must enclose the field name in double quotation marks ("") in a search statement.	None
Logs whose topic is HTTPS or HTTP.	`__topic__:HTTPS or __topic__:HTTP`	None
Logs that are collected from the 192.0.2.1 host.	`__tag__:__client_ip__:192.0.2.1` The `__tag__:__client_ip__` field is a reserved field in SLS. The field indicates the IP address of the host from which logs are collected. For more information, see Reserved fields. Important If a log is processed by using the data transformation feature or a Logtail plug-in, the key in the __tag__:__client_ip__ field is converted to a common key. If you want to search for the log, you must enclose the name of the __tag__:__client_ip__ field in double quotation marks ("") in the search statement. Example: `"__tag__:__client_ip__":192.0.2.1`.	None
Logs whose IP addresses match `192.168.XX.XX`.	`* \| select * from log where key like '192.168.%.%'` For more information, see Use the LIKE clause to implement fuzzy match.	None
Logs in which the remote_user field is not empty.	`not remote_user:""`	Debugging
Logs in which the remote_user field is empty.	`remote_user:""`	Debugging
Logs in which the remote_user field value is not null.	`not remote_user:"null"`	Debugging
Logs that do not contain the remote_user field.	`not remote_user:*`	Debugging
Logs that contain the remote_user field.	`remote_user:*`	Debugging
Logs in which the city field value is not Shanghai.	`not city:Shanghai` Note If you want to query Chinese strings, you must turn on Include Chinese when you configure indexes. For more information, see Create indexes.	None

Fuzzy search examples

Expected search result	Search statement	Debugging
Logs that contain specific words. The words start with cn.	`cn*`	Debugging
Logs in which the region field value starts with cn.	`region:cn*`	None
Logs in which the region field value contains cn*.	`region:"cn"` Note* In this search statement, `cn` is a complete string. Examples: If the content of a log is `region:cn,en` and the delimiter is a comma (,), SLS splits the log content into `region`, `cn`, and `en`. Use the search statement to search for the log. If the content of a log is `region:cnhangzhou`, SLS considers `cn*hangzhou` as a whole, making it impossible to search for the log with a search statement.	None
Logs that contain specific words. The words start with `mozi`, end with `la`, and include one character between `mozi` and `la`.	`mozi?la`	Debugging
Logs that contain specific words. The words start with mo, end with la, and include zero or more characters between `mo` and `la`.	`mo*la`	Debugging
Logs that contain specific words. The words start with `moz` or `sa`.	`moz* and sa*`	Debugging
Logs in which the region field value ends with `hai`.	A search statement cannot find the logs. Use the LIKE clause in an SQL statement instead. For more information, see Use the LIKE clause to implement fuzzy match. `* \| select * from log where region like '%hai'`	None
Logs in which the message field value starts with `"get_time: 0.`.	Use the like syntax in SQL analysis. `*\| select message where message like '"get_time: 0.%'` Alternatively, use the where instruction in Structured Process Language (SPL) to filter the logs.	None

Delimiter-based search examples

SLS splits the content of a log into multiple words based on the delimiters that you specify. The default delimiters are , '";=()[]{}?@&<>/:\n\t\r. If you leave the Delimiter setting empty, SLS treats the entire field value as a single term, searchable only by exact match or fuzzy search on the whole string. For more information about how to specify delimiters, see Create indexes.

For example, the http_user_agent field value is Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/192.0.2.0 Safari/537.2.

If you leave Delimiter empty, SLS considers the field value as a whole. Logs cannot be searched using the http_user_agent:Chrome search statement.
If you set Delimiter to , '";=()[]{}?@&<>/:\n\t\r, SLS splits the field value into Mozilla, 5.0, Windows, NT, 6.1, AppleWebKit, 537.2, KHTML, like, Gecko, Chrome, 192.0.2.0, Safari, and 537.2. Logs can be searched using the http_user_agent:Chrome search statement.

Important

If a search keyword contains delimiters, perform a phrase search or use a LIKE clause. Examples:

Phrase search: #"redo_index/1". For more information, see Phrase search.
LIKE clause: * | select * from log where key like 'redo_index/1'.

Expected search result	Search statement	Debugging
Logs in which the http_user_agent field value contains Chrome.	`http_user_agent:Chrome`	Debugging
Logs in which the http_user_agent field value contains Linux and Chrome.	`http_user_agent:Linux and http_user_agent:Chrome`	Debugging
	`http_user_agent:"Linux Chrome"`	Debugging
Logs in which the http_user_agent field value contains Firefox or Chrome.	`http_user_agent:Firefox or http_user_agent:Chrome`	Debugging
Logs in which the request_uri field value contains /request/path-2.	`request_uri:/request/path-2`	Debugging
Logs in which the request_uri field value starts with /request and does not contain /file-0.	`request_uri:/request* not request_uri:/file-0`	Debugging
Logs in which the `redo_index/1` phrase is completely matched.	`#"redo_index/1"` `* \| select * from log where key like 'redo_index/1'` Note A phrase search or a LIKE clause can be used for an exact match. If you perform an exact search, words such as `redo_index` and `1` are matched.	None

Keyword escaping examples

Search statements

This operator is used to enclose a syntax keyword. If a syntax keyword is enclosed in double quotation marks (""), the keyword is treated as a literal string rather than an operator. In a field-specific search, the words that are enclosed in double quotation marks ("") are considered as a whole.

If a field name or field value contains special characters such as spaces, Chinese characters, colons (:), and hyphens (-) or syntax keywords such as and and or, you must enclose the field name or field value in double quotation marks (""). For example, "and" returns logs containing the word "and", treating it as a term rather than an operator.
SLS supports the following operators: sort, asc, desc, group by, avg, sum, min, max, and limit. If you want to use these operators as keywords, you must enclose the operators in double quotation marks ("").
If a log is processed by using the data transformation feature or a Logtail plug-in, the key in the __tag__:__client_ip__ field is converted to a common key. If you want to search for the log, you must enclose the name of the __tag__:__client_ip__ field in double quotation marks ("") in the search statement. Example: "__tag__:__client_ip__":192.0.2.1. The __tag__:__client_ip__ field is a reserved field in SLS. The field indicates the IP address of the host from which logs are collected. For more information, see Reserved fields.

Expected search result	Search statement
Logs in which the `request method` field value contains `PUT`. The field name contains a space.	`"request method":PUT`
Logs in which the `system error description` field value contains `DB`. The field name includes spaces.	`"system error description":DB*`
Logs in which the `region` field contains the string `cn`. If the log content is `region:cn,en` and the delimiter is a comma (,), it will be split into `region`, `cn*`, and `en`.	`region:"cn*"`
Logs in which the `remote_user` field is empty.	`remote_user:""`
Logs in which the `Authorization` field value is `Bearer 12345`, which includes a space.	`"Authorization": "Bearer 12345"`
Logs in which the `errorContent` field value contains `The body is not valid json string`, which includes spaces.	`* \| select * where errorContent like '%The body is not valid json string%'`
Logs that are collected from the `192.0.2.1` host.	`"__tag__:__client_ip__":192.0.2.1`

Analytic statements

If a proper noun such as a field name or table name contains special characters such as spaces, Chinese characters, colons (:), and hyphens (-) or syntax keywords such as and and or, you must enclose the proper noun in double quotation marks ("") in analytic statements.
If specific characters represent a string, you must use single quotation marks ('') to enclose the characters in analytic statements. For example, 'status' indicates the status string, and status or "status" indicates the status log field.

Expected search result	Query and analytic statement
Logs whose IP addresses match `192.168.XX.XX`.	`* \| select * from log where key like '192.168.%.%'`
The top 10 longest request durations.	Column names with spaces must be enclosed in double quotes (""). `* \| SELECT max(request_time,10) AS "top 10"`
The number of logs corresponding to different request statuses.	The `content` field is indexed as a JSON type. For more information, see How do I query and analyze an indexed JSON field? `* \| SELECT "content.status", COUNT(*) AS PV GROUP BY "content.status"`

json type

Sample log

{
  "timestamp": "2025-03-21T14:35:18Z",
  "level": "ERROR",
  "service": {
    "name": "payment-processor",
    "version": "v2.8.1",
    "environment": "production"
  },
  "error": {
    "code": 5031,
    "message": "Failed to connect to third-party API",
    "details": {
      "endpoint": "https://api.paymentgateway.com/v3/verify",
      "attempts": 3,
      "last_response": {
        "status_code": 504,
        "headers": {
          "Content-Type": "application/json",
          "X-RateLimit-Limit": "100"
        }
      }
    }
  },
  "user": {
    "id": "usr-9a2b3c4d",
    "session": {
      "id": "sess-zxy987",
      "device": {
        "type": "mobile",
        "os": "Android 14",
        "network": "4G"
      }
    }
  },
  "trace": {
    "correlation_id": "corr-6f5e4d3c",
    "span_id": "span-00a1b2"
  }
}

Index configurations

Create indexes before executing a search statement. To check index configurations, perform the following steps:

On the query and analysis page of a logstore, choose Index Attributes > Attributes.
In the Search & Analysis panel, check whether field indexes are configured.

Examples

For more information about query and analyze examples, see Query and analyze JSON logs and FAQ about the query and analysis of JSON logs.

Expected search result	Search statement
Logs that record failed requests.	`level:error`
Logs that record requests with the `usr-9a2b3c4d` user ID.	`user.id:usr-9a2b3c4d`
Logs that record failed requests with the `usr-9a2b3c4d` user ID and the status code.	`user.id:usr-9a2b3c4d and error.details.last_response.status_code :504`

Simple Log Service:Search syntax and functions

Prerequisite

Basic syntax

Writing process of search statements

Step 1: Select a search type

Full-text search

Field-specific search

Search syntax

Step 2: Select a field data type

Field data types

Operators

Step 3: Select a match mode

Examples of search statements

text, double and long types

Sample log

Index configurations

Common search examples

Fuzzy search examples

Delimiter-based search examples

Keyword escaping examples

Search statements

Analytic statements

json type

Sample log

Index configurations

Examples

FAQ

Cannot find logs

JSON log issues

Troubleshoot query errors

References