SLS query FAQ, identify source machine, search IP address, multi-condition query, field truncation, non-indexed fields - Simple Log Service

Answers common questions about log queries in Simple Log Service, such as identifying source machines, searching IP addresses, querying with multiple conditions, and handling field value truncation.

Identify the source machine of a log

Logtail configurations are applied to a machine group. If the machine group is an IP address-based machine group, use internal IP addresses to distinguish machines.
After you create an index, Simple Log Service indexes __tag__:__hostname__ by default. Query by entering __tag__:__hostname__:XXX. The __tag__ field is a reserved field. Example: count occurrences of each hostname.
```
* | select '__tag__:__hostname__' , count(1) as count group by '__tag__:__hostname__'
```

Search for IP addresses in logs

To query a specific IP address:
```
__tag__:__client_ip__:192.0.2.1
```
To query logs from IP addresses that start with 192.0.2:
```
__source__:192.0.2.*
```
To query logs containing an IP address matching 192.168.XX.XX. You can also use regular expressions for a fuzzy query.
```
* | select * from log where key like '192.168.%.%'
```

Query with multiple conditions

Combine query statements to filter with multiple conditions.

For example, to exclude logs with status OK or Unknown, search for not OK not Unknown.

Log query methods

Simple Log Service supports three log query methods:

Query and analyze logs in the console. Quick start for query and analysis.
Query logs by using an SDK. SDK reference overview.
Query logs by using the RESTful API. Query logs in a Logstore.

Troubleshoot SQL analysis timeout or failure

A network firewall on the client side may block requests containing SQL analysis keywords.

Try switching the service endpoint to HTTPS.

Field value truncation

Simple Log Service limits field value length as follows:

For queries, the maximum field value length is 512 KB (524,288 bytes). Content beyond this limit is excluded from query results.
For analysis, the default maximum field value length is 2 KB (2,048 bytes), configurable up to 16 KB (16,384 bytes).

Set the maximum length for a field

This change applies only to new log data. Existing data is not affected.

Log on to the Simple Log Service console.
In the Projects section, click the one you want.
On the Log Storage > Logstores tab, click the logstore you want.
Click Query & Analysis > Properties.
At the bottom of the Query & Analysis page, set Maximum Length for Statistical Fields (text) to a value between 64 and 16,384 bytes.

Analyze non-indexed fields

To analyze a non-indexed field, use one of the following methods:

Create or reindex data
- To analyze new logs, create an index for the target field and enable statistics.
- To analyze historical logs, reindex the data and enable statistics.
Enable scan mode

If you cannot create an index, use scan-based analysis to query logs without indexes. Scan logs.

Change the number of returned rows

Simple Log Service appends limit 100 by default. Use the LIMIT clause to change the number of returned rows.