edit-icon download-icon

Logs cannot be queried

Last Updated: Apr 19, 2018

If logs cannot be queried in Log Service, troubleshoot the problem as follows.

Troubleshoot the problem

1. Logs are not collected successfully

Logs cannot be queried if they are not successfully collected to Log Service. Check if logs exist on the preview page. If yes, it means logs are successfully collected to Log Service and we recommend that you troubleshoot the problem for other reasons. If not, logs are not collected possibly because of any of the following reasons:

  • The log source does not generate logs.

    No log is shipped to Log Service if the log source does not generate logs. Check your log source.

  • The machine group does not have the heartbeat.

    Check if the machine has the heartbeat on the Machine Group Status dialog box. If not, see Logtail heartbeat error.

  • The monitored file is not written in real time.

    If the monitored file is written in real time, open the file /usr/local/ilogtail/ilogtail.LOG to view the error message. Common errors are as follows:

    • parse delimiter log fail: An error occurred when collecting logs by using delimiters.
    • parse regex log fail: An error occurred when collecting logs by using a regular expression.

2. Incorrect token settings

Check if the keyword is obtained after the log is segmented by the configured tokens. For example, if the tokens are ,;=()[]{}?@&<>/:' as default, a log that contains abc”defg,hij is segmented into two parts: abc”defg and hij. Therefore, you cannot query this log by using abc.

Fuzzy query is also supported. For more information about the query syntax, see Query syntax.

Note:

  • To save your index costs, Log Service optimizes the index and configures the key/value index keys, without using the full text index. Assume that you configure the key/value index, add a space as the token (add the space in the middle of the token string), and have a log that contains a key named message. The log message: this is a test message can be queried by using the key:value format message:this, but cannot be queried by using this directly. This is because you have configured the key/value index keys without the full text index.
  • Creating an index or changing an existing index only works for new data.

You can check if the configured tokens meet the requirements in the Index Attributes.

3. Other reasons

If logs are generated, you can modify the time range for the query first. In addition, the log preview function provides data in real time, but the query function has a latency of up to one minute, so you can wait one minute after logs are generated and then query the logs.

If the problem persists, open a ticket.

Thank you! We've received your feedback.