Search syntax and examples - Simple Log Service - Alibaba Cloud Documentation Center

Simple Log Service lets you run a search statement to filter logs. You can use the search results independently or as input to an analytic statement for more complex analysis.

Prerequisites

To query logs, you must create an index.

Basic syntax

Note

SLS Query Skill for intelligent log query and analysis: SLS provides Agent Skill, which lets you use natural language to query and analyze SLS log data in a local AI agent.

Query statements and analytic statements are separated by | in the format query statement|analytic statement. The following is an example:

* | SELECT status, count(*) AS PV GROUP BY status

Statement type

Description

search statement

Specifies the search conditions. Conditions can be keywords, numeric values, numeric ranges, spaces, or an asterisk (*).

If you specify a space or an asterisk (*), no filter is applied.

Important

Specify no more than 30 conditions in a search statement.

analytic statement

Important

You must use an analytic statement with a search statement. You do not need to specify a FROM or WHERE clause in an analytic statement because the service analyzes all data in the current Logstore by default. Analytic statements are case-insensitive, do not support offset, and do not require a trailing semicolon (;).

Performs calculations and statistical analysis on the search results or all data. SLS supports the following analytic functions and syntax:

Writing search queries

To write a query statement:

Step 1: Choose search type

Important

Query and analysis results depend on your index configuration. If you create both a full-text index and field indexes, the field indexes take precedence.

Depending on the index type, Simple Log Service supports two search types for a Logstore: full-text search and field-specific search. The following list describes the differences:

If you create only a full-text index, you must use full-text search.
If you create field indexes, follow these rules:
- For fields of type double or long, you must use the field-specific search syntax.
- For fields of type text: If you know which indexed field contains the keyword, use the field-specific search syntax. If you are unsure which field contains the keyword, use the full-text search syntax.
  - If you do not create a full-text index, the full-text search syntax queries only indexed text fields.
  - If you create a full-text index, the full-text search syntax searches all indexed text fields.

Full-text search

A full-text search does not target a specific field. It supports wildcards (such as * and ?) and logical operators (such as and, or, and not).

Search syntax

 keywords1  [ and | or | not ] keywords2  ...

Examples

Example 1
Search for logs containing the keyword GET. Search syntax: GET.
Example 2
Search for logs containing the keyword GET or POST. Search syntax: GET or POST .
Example 3
Search for logs with keywords starting with Jo, such as Joe and Jon. Search syntax: Jo*.

Field-specific search

A field-specific search targets a specific, indexed field. It supports typed operations, such as numeric comparisons and regular expression matching.

Important

indexname1 is the field name to query. If a field name or other identifier contains special characters (such as spaces or Chinese characters) or search keywords (such as and or or), you must enclose it in double quotation marks (""). For more information, see How do I use quotation marks in search and analytic statements.
For fields indexed as long or double, use comparison operators such as >, >=, <, <=, =, and in.

Search syntax

indexname1 [ : | > | >= | < | <= | = | in ] keyword1 [ [ and | or | not ] indexname2 ... ]

Examples

Example 1
Search for logs where request_method is GET. Search syntax: request_method: GET.
Example 2
Search for logs where request_time_msec is greater than 50 (the field must be indexed as double). Search syntax: request_time_msec>50.
Example 3
Search for logs where request_method is GET and request_time_msec is greater than 50. Search syntax: request_method: GET and request_time_msec>50.

Step 2: Field data types

When writing a search statement, consider the characteristics of each field data type and use the correct operators to find logs efficiently and accurately.

Field data types

Type	Description	Supported operators
text	Represents a string field. After you enable full-text indexing, SLS sets the data type of all fields in a log to text by default, except for the `__time__` field.	`and`, `or`, `not`, `()`, `:`, `""`, `\`, `*`, and `?`.
long and double	To query a field by a numeric range, its data type must be long or double. If a field's data type is not set to double or long, or if the numeric range contains a syntax error, SLS performs a full-text search, which may return unexpected results. For example, if the `owner_id` field is not of the double or long type, the search statement `owner_id>100` returns logs that contain all three terms: `owner_id`, `>` (treated as a term, not a delimiter), and `100`. If you change a field's data type from text to double or long, only equality searches with the `=` operator are supported. To use range operators like greater-than (>) and less-than (<), you must reindex.	`and`, `or`, `not`, `()`, `>`, `>=`, `<`, `<=`, `=`, and `in`.
JSON	For fields within a JSON object, you can set their data type to long, double, or text based on their values and turn on Enable Analytics.	Use operators based on the data type of the fields within the JSON object.

Operators

Important

The in operator must be in lowercase. Other operators are case-insensitive.
SLS reserves the following words for use as operators. To use them as search keywords, you must enclose them in double quotation marks (""): sort, asc, desc, group by, avg, sum, min, max, and limit.
The operators are listed in descending order of precedence:
1. Colon (:)
2. Double quotation marks ("")
3. Parentheses ()
4. and, not
5. or

Operator	Description
`:`	Used for field-specific searches in the Key:Value format. Example: `request_method:GET`. If a field name or value contains special characters such as spaces, colons (:), or hyphens (-), you must enclose the name or value in double quotation marks (""). Example: `"file info":apsara`.
`and`	The `and` operator. Example: `request_method:GET and status:200`. If you specify multiple keywords without a logical operator, the `and` operator is used by default. For example, `GET 200 cn-shanghai` is equivalent to `GET and 200 and cn-shanghai`.
`or`	The `or` operator. Example: `request_method:GET or status:200`.
`not`	The `not` operator. Examples: `request_method:GET not status:200` and `not status:200`.
`( )`	Increases the priority of search conditions within the parentheses. Example: `(request_method:GET or request_method:POST) and status:200`.
`""`	You can enclose a syntax keyword in `""` (double quotes) to convert it into a regular character. In a field query, all words enclosed in `""` are treated as a single phrase. If a field name or value contains special characters (such as spaces, Chinese characters, `:`, or `-`) or syntax keywords (such as `and` or `or`), you must enclose it in `""`. For example, a search for `"and"` finds logs that contain the word "and", which is not treated as an operator. SLS reserves the following words for use as operators. To use them as search keywords, you must enclose them in `""`: `sort`, `asc`, `desc`, `group by`, `avg`, `sum`, `min`, `max`, and `limit`. When logs are processed by data transformation or a Logtail plug-in, the tag key is converted to a standard key. To query this key, you must enclose the field name in `""`. Example: `"__tag__:__client_ip__":192.0.2.1`. The `__tag__:__client_ip__` field is a reserved field in SLS that indicates the IP address of the log collection host. For more information, see reserved field.
`\`	This is the escape character. It escapes a double quotation mark (`""`) so that you can search for it as a literal character. For example, if a log contains `instance_id:nginx"01"`, you can search for it by using the statement `instance_id:nginx\"01\"`.
`*`	A wildcard character that matches zero or more characters. Example: `host:wwwcom`. Note* SLS finds up to 100 matching terms from your logs and then returns all logs that contain these terms and meet the search conditions.
`?`	A wildcard character that matches a single character. Example: `host:aliyund?c`.
`>`	Searches for logs where a field's value is greater than a specified number. Example: `request_time>100`.
`>=`	Searches for logs where a field's value is greater than or equal to a specified number. Example: `request_time>=100`.
`<`	Searches for logs where a field's value is less than a specified number. Example: `request_time<100`.
`<=`	Searches for logs where a field's value is less than or equal to a specified number. Example: `request_time<=100`.
`=`	Searches for logs where a field's value is equal to a specified number. For fields of type double or long, the `=` and `:` operators are equivalent. For example, `request_time=100` is equivalent to `request_time:100`.
`in`	Searches for logs where a field's value is within a specified numeric range. Brackets [] indicate a closed interval (inclusive), and parentheses () indicate an open interval (exclusive). Use a space to separate the two numbers in the range. Examples: `request_time in [100 200]` or `request_time in (100 200]`. Important The `in` operator must be in lowercase.
`__source__`	Searches for logs from a specific log source. Wildcard characters are supported. Example: `__source__:192.0.2.`. Important* In Log Service, __source__ is a reserved field that can be abbreviated as source. If you define a custom field named source, it conflicts with the source reserved field. In this case, you must use a different capitalization, such as Source or SOURCE, to query your custom field.
`__tag__`	Searches for logs using metadata. Example: `__tag__:__receive_time__:1609837139`.
`__topic__`	Searches for logs in a specific log topic. Example: `__topic__:nginx_access_log`.

Step 3: Select a match mode

Choose between an exact search and a fuzzy search based on your keywords and business requirements.

Search type

Description

Example

Exact search

Finds logs that match whole words.

SLS uses word segmentation to process queries. This means a search for a multi-word phrase might not return an exact match. For example, a query for abc def returns logs that contain both the term abc and the term def, but not necessarily as a contiguous phrase. To find an exact match for the phrase abc def, use a phrase search or a LIKE clause. For more information, see Phrase search and How do I query logs using exact match?

host:example.com: Finds logs where the host field contains example.com.
PUT and cn-shanghai: Finds logs that contain both the PUT and cn-shanghai keywords.
* | Select * where http_user_agent like '%like Gecko%': Finds logs where the http_user_agent field value contains the phrase like Gecko.
#"redo_index/1": Finds logs that contain the phrase redo_index/1.

Fuzzy search

To perform a fuzzy search, add a wildcard character, either an asterisk (*) or a question mark (?), to the middle or end of a search term. The term cannot exceed 64 characters. SLS then finds up to 100 matching words and returns all logs that contain them. The more specific your term, the more accurate the results.

Important

Do not use wildcard characters, such as the asterisk (*) or question mark (?), at the beginning of a search term.
Fuzzy searches using wildcards (* or ?) are not supported on fields of long or double data types. Instead, you can search for a range of values, such as status in [200 299].

A fuzzy search is a type of sample query that works as follows:

When field indexing is enabled and you query a specific field, SLS samples data from that field's index instead of performing a full scan. This sampling returns a representative subset of results.
When full-text indexing is enabled and you do not specify a field, SLS samples data from the full-text index. This sampling returns a representative subset of results.

request_time>60 and request_method:Ge*: Finds logs where the request_time field value is greater than 60 and the request_method field value starts with Ge.
addr*: Finds logs that contain any of up to 100 terms starting with addr.
host:www.yl* searches all logs for 100 terms from the values of the host field that start with www.yl, and returns the logs that contain these terms.

For more information, see How do I perform a fuzzy query on logs?

Search statement examples

A search statement returns different results depending on the log content and index configuration. The examples in this topic are based on the following sample log and index configuration.

Text, double, and long types

Sample log

This topic demonstrates common search statements by using an NGINX access log.

日志样例

Index configuration

You must create indexes before you can query logs. To check your index configuration, perform the following steps:

On the query and analysis page of the logstore, select Index Attributes > Attributes.
In the panel that appears, check whether field indexes are configured.

Common search

Goal	Search statement	Debugging
Search for successful GET requests (status code 200–299).	`request_method:GET and status in [200 299]`	Debugging
Search for GET requests from outside the China (Hangzhou) region.	`request_method:GET not region:cn-hangzhou`	None
Search for GET or POST requests.	`request_method:GET or request_method:POST`	Debugging
Search for non-GET requests.	`not request_method:GET`	Debugging
Search for successful GET or POST requests.	`(request_method:GET or request_method:POST) and status in [200 299]`	Debugging
Search for failed GET or POST requests.	`(request_method:GET or request_method:POST) not status in [200 299]`	Debugging
Search for successful GET requests (status code 200–299) with a request time of less than 60 seconds.	`request_method:GET and status in [200 299] not request_time>=60`	Debugging
Search for logs with a request time of 60 seconds.	`request_time:60`	Debugging
Search for logs with a request time of 60 seconds.	`request_time=60`	Debugging
Search for logs where the request time is greater than or equal to 60 seconds and less than 200 seconds.	`request_time>=60 and request_time<200`	Debugging
	`request_time in [60 200)`	Debugging
Search for logs where the request_time field exists.	`request_time:*`	Debugging
Search for logs where the request_time field is empty or contains an invalid number.	`(request_time:"") or (not request_time > -10000000000)`	Debugging
Search for logs that contain the request_time field with a numeric value.	`request_time > -1000000000`	Debugging
Search for logs that contain and.	`"and"` Note The word and is treated as a literal string, not an operator.	Debugging
Search for logs where the value of the request method field is PUT.	`"request method":PUT` Important The field name request method contains a space. You must enclose it in double quotation marks ("").	None
Search for logs whose topic is HTTPS or HTTP.	`__topic__:HTTPS or __topic__:HTTP`	None
Search for logs from the 192.0.2.1 host.	`__tag__:__client_ip__:192.0.2.1` The `__tag__:__client_ip__` field is a reserved field in Log Service that indicates the IP address of the host that collected the logs. For more information, see Reserved fields. Important If a log is processed using data transformation or a Logtail plug-in, the key in the tag is converted to a regular key. To query the log, you must enclose the field name in double quotation marks (""). Example: `"__tag__:__client_ip__":192.0.2.1`.	None
Search for logs that contain `192.168.XX.XX`.	`* \| select * from log where key like '192.168.%.%'` For more information, see Use the SQL LIKE clause for precise fuzzy queries.	None
Search for logs where the remote_user field value is not empty.	`not remote_user:""`	Debugging
Search for logs where the remote_user field value is empty.	`remote_user:""`	Debugging
Search for logs where the remote_user field value is not null.	`not remote_user:"null"`	Debugging
Search for logs that do not contain the remote_user field.	`not remote_user:*`	Debugging
Search for logs that contain the remote_user field.	`remote_user:*`	Debugging
Search for logs where the city field value is not Shanghai.	`not city:Shanghai` Note To query Chinese strings, you must enable include Chinese when you configure indexes. For more information, see Create indexes.	None

Fuzzy search

Goal	Search statement	Debugging
Search for logs that contain words starting with cn.	`cn*`	Debugging
Search for logs where the region field value starts with cn.	`region:cn*`	None
Search for logs where the region field value contains cn*.	`region:"cn"` Note* In this search statement, `cn` is treated as a literal string. For example: If a log contains `region:cn,en` and the delimiter is a comma (,), the content is split into `region`, `cn`, and `en`. This log can be found by using the search statement. If a log contains `region:cnhangzhou`, `cn*hangzhou` is treated as a single term. You cannot find this log by using the search statement.	None
Search for logs that contain a word that starts with "mozi", ends with "la", and has a single character in between.	`mozi?la`	Debugging
Search for logs that contain a word that starts with "mo", ends with "la", and has zero or more characters in between.	`mo*la`	Debugging
Search for logs that contain words starting with "moz" and words starting with "sa".	`moz* and sa*`	Debugging
Search for logs where the region field value ends with "hai".	You cannot find these logs with a search statement. Instead, use the LIKE clause in your SQL analysis. For more information, see Use the SQL LIKE clause for precise fuzzy queries. `\| select from log where region like '%hai'`	None
Search for logs where the message field value starts with `"get_time: 0.`.	Use the like clause in SQL analysis. `\| select message where message like '"get_time: 0.%'` Alternatively, use the where instruction in Structured Process Language (SPL) to filter logs. `\| where message like '"get_time: 0.%'`	None

Search by delimiter

Log Service splits log content into words using the specified delimiters. The default delimiters are , '";=()[]{}?@&<>/:\n\t\r. If you leave the Delimiter setting empty, the field value is treated as a single term. You can find this term only by using an exact or fuzzy search on the entire string. For more information about how to set delimiters, see Create indexes.

For example, the value of the http_user_agent field is Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/192.0.2.0 Safari/537.2.

If you set the delimiter to an empty value, the field value is treated as a single token. As a result, you cannot find the log by using the query statement http_user_agent:Chrome.
If you set Delimiter to , '";=()[]{}?@&<>/:\n\t\r, the field value is split into the terms Mozilla, 5.0, Windows, NT, 6.1, AppleWebKit, 537.2, KHTML, like, Gecko, Chrome, 192.0.2.0, Safari, and 537.2. You can find the log by using search statements such as http_user_agent:Chrome.

Important

If a search keyword contains a delimiter, you must use a phrase search or a LIKE clause. For example:

Phrase search: #"redo_index/1". For more information, see Phrase search.
LIKE clause: * | select * from log where key like 'redo_index/1'.

Goal	Search statement	Debugging
Search for logs where the http_user_agent field value contains Chrome.	`http_user_agent:Chrome`	Debugging
Search for logs where the http_user_agent field value contains Linux and Chrome.	`http_user_agent:Linux and http_user_agent:Chrome`	Debugging
	`http_user_agent:"Linux Chrome"`	Debugging
Search for logs where the http_user_agent field value contains Firefox or Chrome.	`http_user_agent:Firefox or http_user_agent:Chrome`	Debugging
Search for logs where the request_uri field value contains /request/path-2.	`request_uri:/request/path-2`	Debugging
Search for logs where the request_uri field value starts with /request but does not contain /file-0.	`request_uri:/request* not request_uri:/file-0`	Debugging
Find an exact match for logs that contain the phrase `redo_index/1`.	`#"redo_index/1"` `* \| select * from log where key like 'redo_index/1'` Note A phrase search or a LIKE clause can provide an exact match for a phrase. A standard exact search matches individual terms such as `redo_index` and `1`.	None

Keyword escaping

In search statements

You can enclose a syntax keyword in "" (double quotes) to convert it into a regular character. In a field query, all words enclosed in "" are treated as a single phrase.

If a field name or value contains special characters (such as spaces, Chinese characters, :, or -) or syntax keywords (such as and or or), you must enclose it in "". For example, a search for "and" finds logs that contain the word "and", which is not treated as an operator.
SLS reserves the following words for use as operators. To use them as search keywords, you must enclose them in "": sort, asc, desc, group by, avg, sum, min, max, and limit.
When logs are processed by data transformation or a Logtail plug-in, the tag key is converted to a standard key. To query this key, you must enclose the field name in "". Example: "__tag__:__client_ip__":192.0.2.1. The __tag__:__client_ip__ field is a reserved field in SLS that indicates the IP address of the log collection host. For more information, see reserved field.

Goal	Search statement
Search for logs where the value of the `request method` field is `PUT`. The field name `request method` contains a space and must be enclosed in double quotation marks ("").	`"request method":PUT`
Search for logs where the `system error description` field value contains `DB`. The field name `system error description` contains spaces.	`"system error description":DB*`
This query finds logs where the `region` field value contains `cn`. Here, `cn` is a string. If the log content is `region:cn,en` and the delimiter is a comma (,), the log content is split into `region`, `cn`, and `en`. You can then use the statement on the right to find this log.	`region:"cn*"`
Search for logs where the `remote_user` field value is empty.	`remote_user:""`
Search for logs where the `Authorization` field value is `Bearer 12345`. The field value `Bearer 12345` contains a space.	`"Authorization": "Bearer 12345"`
Analyze logs where the `errorContent` field value contains `The body is not valid json string`. The field value contains spaces.	`* \| select * where errorContent like '%The body is not valid json string%'`
Search for logs collected from the `192.0.2.1` host.	`"__tag__:__client_ip__":192.0.2.1`

In analytic statements

If a proper noun, such as a field name or table name, contains special characters (such as spaces, Chinese characters, :, or -) or syntax keywords (such as and or or), you must enclose it in double quotation marks ("").
Characters that represent a string must be enclosed in single quotation marks (''). Characters that are not enclosed in quotation marks or are enclosed in double quotation marks ("") represent a field name or column name. For example, 'status' represents the string "status", whereas status or "status" represents the status log field.

Goal	Analytic statement
Search for logs that contain `192.168.XX.XX`.	`* \| select * from log where key like '192.168.%.%'`
Calculate the top 10 request times.	The column name `top 10` contains a space and must be enclosed in double quotation marks (""). `* \| SELECT max(request_time,10) AS "top 10"`
Count the number of logs for each request status.	The `content` field is indexed as a JSON type. For more information, see How to query and analyze an indexed JSON field. `* \| SELECT "content.status", COUNT(*) AS PV GROUP BY "content.status"`

Json type

Sample log

{
  "timestamp": "2025-03-21T14:35:18Z",
  "level": "ERROR",
  "service": {
    "name": "payment-processor",
    "version": "v2.8.1",
    "environment": "production"
  },
  "error": {
    "code": 5031,
    "message": "Failed to connect to third-party API",
    "details": {
      "endpoint": "https://api.paymentgateway.com/v3/verify",
      "attempts": 3,
      "last_response": {
        "status_code": 504,
        "headers": {
          "Content-Type": "application/json",
          "X-RateLimit-Limit": "100"
        }
      }
    }
  },
  "user": {
    "id": "usr-9a2b3c4d",
    "session": {
      "id": "sess-zxy987",
      "device": {
        "type": "mobile",
        "os": "Android 14",
        "network": "4G"
      }
    }
  },
  "trace": {
    "correlation_id": "corr-6f5e4d3c",
    "span_id": "span-00a1b2"
  }
}

Index configuration

You must create indexes before you can query logs. To check your index configuration, perform the following steps:

On the query and analysis page of the logstore, select Index Attributes > Attributes.
In the panel that appears, check whether field indexes are configured.

Examples

Goal	Search statement
Search for logs that record request errors.	`level:error`
Search for all requests from the user whose ID is `usr-9a2b3c4d`.	`user.id:usr-9a2b3c4d`
Search for logs from user `usr-9a2b3c4d` with an error status code of 504.	`user.id:usr-9a2b3c4d and error.details.last_response.status_code :504`

Simple Log Service:Search syntax and functions

Prerequisites

Basic syntax

Writing search queries

Step 1: Choose search type

Full-text search

Search syntax

Examples

Field-specific search

Search syntax

Examples

Step 2: Field data types

Field data types

Operators

Step 3: Select a match mode

Search statement examples

Text, double, and long types

Sample log

Index configuration

Common search

Fuzzy search

Search by delimiter

Keyword escaping

In search statements

In analytic statements

Json type

Sample log

Index configuration

Examples

FAQ

Query returns no logs

JSON log issues

Troubleshoot query errors

Related topics