This topic provides answers to frequently asked questions regarding log queries, including identifying the source machine, querying logs by IP address, using dual conditions for queries, and employing various query methods.
How do I identify the source machine from which logs are collected during a log query?
-
When using Logtail for log collection with configurations applied to a machine group, you can differentiate machines by their internal IP addresses if the machine group type is IP address machine group.
-
Once indexes are created, Simple Log Service automatically generates an index for the
__tag__:__hostname__
field. To query logs, enter__tag__:__hostname__:XXX
. For settings and descriptions of the__tag__
field, refer to Reserved fields. For instance, to query the frequency of different hostnames in logs, use the following statement:* | select '__tag__:__hostname__' , count(1) as count group by '__tag__:__hostname__'
How do I search for logs by an IP address?
-
To query logs by an IP address:
__tag__:__client_ip__:192.0.2.1
-
To query logs with IP addresses starting with 192.0.2:
__source__:192.0.2.*
-
To query logs containing
192.168.XX.XX
, you can use a regular expression for a fuzzy query. For details, see How do I perform a fuzzy query on logs?.* | select * from log where key like '192.168.%.%'
How do I use two conditions to query logs?
To query logs using two conditions, specify both statements simultaneously.
For instance, to find logs in a Logstore where the status field does not contain OK
or Unknown
, simply search for not OK not Unknown
to retrieve the relevant logs.
How do I query logs in Simple Log Service?
You can query logs in Simple Log Service using one of the following methods:
-
Query logs via the Simple Log Service console. For a step-by-step guide, see Quick guide to query and analyze logs.
-
Query logs using an SDK. For more details, refer to Overview of SDK references.
-
Query logs using RESTful APIs. For more information, see GetLogs - Query logs in a Logstore.
I can use an SDK to search for logs, but a timeout or a network error occurs when I perform SQL log analysis. What do I do?
A potential cause is the client's network firewall blocking requests containing SQL analysis keywords.
To troubleshoot errors related to the client's network firewall, consider switching the Simple Log Service endpoint to one that begins with HTTPS.
Why are field values truncated when I query and analyze logs?
Below are the limitations on field value lengths retained for query and analysis in Simple Log Service:
-
For log queries, the maximum length of a field value is 512 KB (524,288 bytes), with any excess not retained.
-
For log analysis, the default maximum length of a field value is 2 KB (2,048 bytes), extendable up to 16 KB (16,384 bytes).
To adjust the maximum length of a field value, set Maximum Length Of Statistical Field (text) between 64 and 16,384 bytes. For more information, see Create indexes.
If a field value exceeds the limit, it is truncated, and the excess is not retained for query or analysis.
How do I analyze non-indexed fields?
To analyze logs without pre-created indexes or the ability to create them, consider the following solutions:
-
Create or reindex
-
To analyze new logs, configure indexes for necessary fields and enable analytics. For guidance, see Create indexes.
-
To analyze historical logs, reindex the required fields and enable analytics. For details, see Reindex.
-
-
Enable scan mode
If indexing is not an option, activate the scan feature to analyze logs. For more information, consult Scan analysis syntax and Scan logs.
How do I modify the number of rows in the output of an SQL query statement?
When executing a query analysis statement, Simple Log Service appends limit 100
by default. To change the number of rows returned, use the LIMIT clause. For more details, see LIMIT clause.