All Products
Search

This Product

    Log Service:Query and analyze logs

    Document Center

    Log Service:Query and analyze logs

    Last Updated:Nov 21, 2023

    After you create indexes for a Logstore, you can query and analyze the logs that are collected and stored in the Logstore on the query and analysis page in real time.

    Prerequisites

    • Logs are collected. For more information, see Data collection overview.

      Important Before you can analyze logs, you must store the logs in a Standard Logstore. For more information, see Manage a Logstore.

    • Indexes are created. For more information, see Create indexes.

      If you want to analyze logs, you must create field indexes and turn on Enable Analytics for the fields in the logs.

    Procedure

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the project that you want to manage.

    3. On the Log Storage > Logstores tab, click the Logstore that you want to manage.

    4. Enter a query statement in the search box.

      A query statement consists of a search statement and an analytic statement in the Search statement|Analytic statement format. For more information, see Search syntax and SQL syntax.

    5. Click Last 15 Minutes to specify a query time range.

      You can also specify a closed interval in an analytic statement by using the __time__ field. Example: * | SELECT * FROM log WHERE __time__>1558013658 AND __time__< 1558013660. The time range that you specify by using one of the preceding methods is accurate to the minute. The query and analysis results may contain logs that are generated 1 minute earlier or later than the specified time range.

      Important

      • To ensure that full data can be queried, you must specify a query time range that is accurate to the minute.

      • If you specify a time range in an analytic statement, the time range is used for query and analysis.

      If you want to specify a time range that is accurate to the second, you must use the from_unixtime or to_unixtime function in your analytic statement to convert the time format. For more information about the functions, see from_unixtime function and to_unixtime function. Examples:

      • * | SELECT * FROM log WHERE from_unixtime(__time__) > from_unixtime(1664186624) AND from_unixtime(__time__) < now()

      • * | SELECT * FROM log WHERE __time__ > to_unixtime(date_parse('2022-10-19 15:46:05', '%Y-%m-%d %H:%i:%s')) AND __time__ < to_unixtime(now())

    Manage query and analysis results

    Simple Log Service displays query and analysis results in the Query Result Histogram section, on the Raw Logs tab, and on the Graph tab. You can perform different operations on the results. For example, you can configure alerts and create saved searches.

    Important

    By default, only 100 lines of data are returned after you execute a query statement. To increase the number of lines of data that are returned, you can use a LIMIT clause. For more information, see LIMIT clause.

    • Query Result Histogram

      The Query Result Histogram section displays the distribution of returned logs in different periods of time. 分布直方图

      • When you move the pointer over a green rectangle, you can view the period of time that is represented by the rectangle and the number of returned logs within the period.

      • If you double click a green rectangle, you can view log distribution at a finer-grained level. You can also view the returned logs within the specified period of time on the Raw Logs tab.

    • Raw Logs

      The Raw Logs tab displays the logs that are returned. You can click the Table or Raw Data tab to view the logs. 原始日志

      • Quick Analysis: You can analyze the distribution of a field within a period of time. For more information, see Quick analysis.

      • Context query: On the Raw Data tab, you can find a log and click the 查询日志-004 icon to query the context information of the log in the raw log file. For more information, see Contextual query.

        Important

        You can perform contextual query only on the logs that are collected by Logtail.

      • LiveTail: On the Raw Data tab, you can find a log and click the LiveTail icon to monitor logs in real time and extract important information from the logs. For more information, see LiveTail.

        Important

        You can use LiveTail only on the logs that are collected by Logtail.

      • Tag Settings: On the Raw Logs tab, choose image.png > Tag Settings. In the Tag Configurations dialog box, you can turn on Set as Tag for the required fields to hide less important fields.Tag

      • Column Settings: On the Raw Logs tab, choose image.png > Displayed Field/Column Settings. In the Field/Column Settings dialog box, you can specify the columns that you want to display in the table. The column names are field names, and the column content is field values. 列设置

      • JSON Configurations: On the Raw Logs tab, choose image.png > JSON Configurations. In the JSON Configurations dialog box, you can specify the level for JSON expansion.

      • Event Settings: On the Raw Logs tab, choose image.png > Event Settings. In the Advanced Event Settings dialog box, you can configure events for raw logs. For more information, see Configure events.

      • Download Log: On the Raw Logs tab, click the 下载日志 icon to download logs. You can specify the tool that is used to download logs and the range of logs to download. For more information, see Download logs.

    • Graph

      After you execute a query statement, you can view the query and analysis results on the Graph tab.

      • View query and analysis results: Simple Log Service renders the results of the query statement to charts. Simple Log Service provides various types of charts, such as tables, line charts, and column charts. Simple Log Service provides two versions of charts: Pro and Standard. For more information, see Overview of charts (Pro) and Chart overview.

      • Add a chart to a dashboard: Simple Log Service provides dashboards on which you can analyze data in real time. You can click Add to New Dashboard to save the query and analysis results as a chart to a dashboard. For more information, see Overview of visualization.

      • Configure interactive occurrences: Interactive occurrences are important for data analysis. You can use interactive occurrences to switch between the levels of data dimensions and the analysis granularities to obtain more detailed information. For more information, see Interactive occurrences.

      • Create a Scheduled SQL job: Simple Log Service provides the Scheduled SQL feature. You can use the feature to automatically analyze data on a regular basis and aggregate data for storage. You can also use the feature to project and filter data. For more information, see Scheduled SQL.

    • LogReduce

      On the LogReduce tab, you can click Enable LogReduce to cluster similar logs during log collection. For more information, see LogReduce.

    • Save as Alert

      On the query and analysis page, you can click the 另存为告警 icon to configure alerts based on the query and analysis results. For more information, see Configure an alert monitoring rule in Simple Log Service.

    • Save Search

      On the query and analysis page, you can click the 快速查询 icon to save a query statement as a saved search. For more information, see Saved search.

    • Share

      On the query and analysis page, you can click the image.png icon to copy the link to the page and share the link with other users.