All Products
Search
Document Center

Simple Log Service:FAQ about query and analysis

Last Updated:Jan 06, 2025

This topic provides answers to frequently asked questions regarding log queries, including identifying the source machine, querying logs by IP address, using dual conditions for queries, and employing various query methods.

How do I identify the source machine from which logs are collected during a log query?

  • When using Logtail for log collection with configurations applied to a machine group, you can differentiate machines by their internal IP addresses if the machine group type is IP address machine group.

  • Once indexes are created, Simple Log Service automatically generates an index for the __tag__:__hostname__ field. To query logs, enter __tag__:__hostname__:XXX. For settings and descriptions of the __tag__ field, refer to Reserved fields. For instance, to query the frequency of different hostnames in logs, use the following statement:

    * | select '__tag__:__hostname__' , count(1) as count group by '__tag__:__hostname__'

How do I search for logs by an IP address?

  • To query logs by an IP address:

    __tag__:__client_ip__:192.0.2.1
  • To query logs with IP addresses starting with 192.0.2:

    __source__:192.0.2.*
  • To query logs containing 192.168.XX.XX, you can use a regular expression for a fuzzy query. For details, see How do I perform a fuzzy query on logs?.

    * | select * from log where key like '192.168.%.%'

How do I use two conditions to query logs?

To query logs using two conditions, specify both statements simultaneously.

For instance, to find logs in a Logstore where the status field does not contain OK or Unknown, simply search for not OK not Unknown to retrieve the relevant logs.

How do I query logs in Simple Log Service?

You can query logs in Simple Log Service using one of the following methods:

I can use an SDK to search for logs, but a timeout or a network error occurs when I perform SQL log analysis. What do I do?

A potential cause is the client's network firewall blocking requests containing SQL analysis keywords.

To troubleshoot errors related to the client's network firewall, consider switching the Simple Log Service endpoint to one that begins with HTTPS.

Why are field values truncated when I query and analyze logs?

Below are the limitations on field value lengths retained for query and analysis in Simple Log Service:

  • For log queries, the maximum length of a field value is 512 KB (524,288 bytes), with any excess not retained.

  • For log analysis, the default maximum length of a field value is 2 KB (2,048 bytes), extendable up to 16 KB (16,384 bytes).

    To adjust the maximum length of a field value, set Maximum Length Of Statistical Field (text) between 64 and 16,384 bytes. For more information, see Create indexes.

If a field value exceeds the limit, it is truncated, and the excess is not retained for query or analysis.

How do I analyze non-indexed fields?

To analyze logs without pre-created indexes or the ability to create them, consider the following solutions:

  • Create or reindex

    • To analyze new logs, configure indexes for necessary fields and enable analytics. For guidance, see Create indexes.

    • To analyze historical logs, reindex the required fields and enable analytics. For details, see Reindex.

  • Enable scan mode

    If indexing is not an option, activate the scan feature to analyze logs. For more information, consult Scan analysis syntax and Scan logs.

How do I modify the number of rows in the output of an SQL query statement?

When executing a query analysis statement, Simple Log Service appends limit 100 by default. To change the number of rows returned, use the LIMIT clause. For more details, see LIMIT clause.