本文為您提供日誌資料分析的一些案例。
5分鐘錯誤率超過40%時觸發警示
統計每分鐘的500錯誤率,當最近5分鐘錯誤率超過40%時觸發警示。
status:500 | select __topic__, max_by(error_count,window_time)/1.0/sum(error_count) as error_ratio, sum(error_count) as total_error from (
select __topic__, count(*) as error_count , __time__ - __time__ % 300 as window_time from log group by __topic__, window_time
)
group by __topic__ having max_by(error_count,window_time)/1.0/sum(error_count) > 0.4 and sum(error_count) > 500 order by total_error desc limit 100統計流量並設定警示
統計每分鐘的流量,當最近的流量出現暴跌時,觸發警示。 由於在最近的一分鐘內,統計的資料不是一個完整分鐘的,所以需要除以greatest(max(__time__) - min(__time__),1)進行歸一化,統計每個分鐘內的流量均值。
* | SELECT SUM(inflow) / greatest(max(__time__) - min(__time__),1) as inflow_per_minute, date_trunc('minute',__time__) as minute group by minute計算不同資料區間的平均延時
按照資料區間分桶,在每個桶內計算平均延時。
* | select avg(latency) as latency , case when originSize < 5000 then 's1' when originSize < 20000 then 's2' when originSize < 500000 then 's3' when originSize < 100000000 then 's4' else 's5' end as os group by os返回不同結果的百分比
返回不同部門的count結果,及其所佔百分比。該query結合了子查詢、視窗函數。其中sum(c) over()表示計算所有行的和。
* | select department, c*1.0/ sum(c) over () from(select count(1) as c, department from log group by department)統計滿足條件的個數
在URL路徑中,我們需要根據URL不同的特徵來計數,這種情況可以使用CASE WHEN文法,但還有個更簡單的文法是count_if。
* | select count_if(uri like '%login') as login_num, count_if(uri like '%register') as register_num, date_format(date_trunc('minute', __time__), '%m-%d %H:%i') as time group by time order by time limit 100通用彙總分析
用戶端PV全球分布
通過ip_to_country函數擷取IP所在國家,然後根據ip_country彙總,計算每個國家的用戶端數量, 您可以通過配置世界地圖可視化展示資料。
* |
select
ip_to_country(client_ip) as ip_country,
count(*) as pv
group by
ip_country
order by
pv desc
limit
500要求方法分類PV趨勢
時間按照分鐘對齊,然後與request_method一起分組彙總計算pv,按照時間進行排序,您可以使用線圖,配置x軸為t,y軸為pv,彙總列為request_method,可視化展示資料。
* |
select
date_format(date_trunc('minute', __time__), '%m-%d %H:%i') as t,
request_method,
count(*) as pv
group by
t,
request_method
order by
t asc
limit
10000http_user_agent請求PV分布
通過http_user_agent分組彙總,然後查詢出各個代理的請求以及返回用戶端流量的總和。由於單位是byte,運算轉為MB並保留兩位小數,再使用case when為status分層,分為2xx、3xx、4xx、5xx以及各層所佔的比例。您可以使用基礎資料表格可視化展示資料。
* |
select
http_user_agent as "使用者代理程式",
count(*) as pv,
round(sum(request_length) / 1024.0 / 1024, 2) as "請求報文流量(MB)",
round(sum(body_bytes_sent) / 1024.0 / 1024, 2) as "返回用戶端流量(MB)",
round(
sum(
case
when status >= 200
and status < 300 then 1
else 0
end
) * 100.0 / count(1),
6
) as "2xx比例(%)",
round(
sum(
case
when status >= 300
and status < 400 then 1
else 0
end
) * 100.0 / count(1),
6
) as "3xx比例(%)",
round(
sum(
case
when status >= 400
and status < 500 then 1
else 0
end
) * 100.0 / count(1),
6
) as "4xx比例(%)",
round(
sum(
case
when status >= 500
and status < 600 then 1
else 0
end
) * 100.0 / count(1),
6
) as "5xx比例(%)"
group by
"使用者代理程式"
order by
pv desc
limit
100本月每日消費及趨勢預測
首先根據賬單號對資料做分組,擷取到對應的時間、產品標識、賬單類型及應付金額。接著按天做彙總計算每天的費用。然後按照時間排序找到產生費用的最新一天。最後將時間、費用、傳遞的字串(可以作為之後的別名)、預測周期、預測點的個數作為sls_inner_ts_regression的參數,擷取當前每天的消費情況及之後的預測結果。 您可以使用線圖,x軸配置時間、y軸配置實際消費和預測消費兩個欄位,可視化展示本月的消費情況以及剩餘時間的消費預測。
source :bill |
select
date_format(res.stamp, '%Y-%m-%d') as time,
res.real as "實際消費",case
when is_nan(res.real) then res.pred
else null
end as "預測消費",
res.instances
from(
select
sls_inner_ts_regression(
cast(day as bigint),
total,
array ['total'],
86400,
60
) as res
from
(
select
*
from
(
select
*,
max(day) over() as lastday
from
(
select
to_unixtime(date_trunc('day', __time__)) as day,
sum(PretaxAmount) as total
from
(
select
RecordID,
arbitrary(__time__) as __time__,
arbitrary(ProductCode) as ProductCode,
arbitrary(item) as item,
arbitrary(PretaxAmount) as PretaxAmount
from
log
group by
RecordID
)
group by
day
order by
day
)
)
where
day < lastday
)
)
limit
1000本月消費情況各產品的佔比
查詢語句中首先根據產品名稱彙總計算各個產品的總支出,使用row_number函數將產品按照支出金額倒序排列。找出支出最多的六個產品,其他的歸為其他。您可以通過配置環形圖可視化展示資料。
source :bill |
select
case
when rnk > 6
or pretaxamount <= 0 then '其他'
else ProductName
end as ProductName,
sum(PretaxAmount) as PretaxAmount
from(
select
*,
row_number() over(
order by
pretaxamount desc
) as rnk
from(
select
ProductName,
sum(PretaxAmount) as PretaxAmount
from
log
group by
ProductName
)
)
group by
ProductName
order by
PretaxAmount desc
limit
1000昨天的消費及與上月的同比
先計算昨天的總費用,使用coalesce運算式當未產生費用時返回0,round函數取三位小數。然後通過compare函數計算同比。 您可以使用統計圖中的趨勢圖,展示昨天的消費總額及與上個月的同比情況。
source :bill |
select
round(diff [1], 2),
round(diff [2], 2),
round(diff [3] * 100 -100, 2)
from(
select
compare("昨日消費", 604800) as diff
from(
select
round(coalesce(sum(PretaxAmount), 0), 3) as "昨日消費"
from
log
)
)Tomcat Web服務分析
tomcat請求狀態趨勢分析
通過date_trunc函數對日誌時間按照分鐘對齊,使用date_format函數提取出小時、分鐘,將提取後的時間與訪問狀態代碼status通過group by彙總,擷取每分鐘每個狀態代碼的count值。您可以使用流圖展示資料,配置x軸為time,y軸為count,彙總列為status。
* |
select
date_format(date_trunc('minute', __time__), '%H:%i') as time,
COUNT(1) as c,
status
GROUP by
time,
status
ORDER by
time
LIMIT
1000tomcat訪問的pv、uv時間分布
使用time_series函數根據日誌時間做兩分鐘對齊,然後對時間彙總計算出訪問數量,使用approx_distinct函數計算remote_addr去重之後的數量,然後根據時間排序。您可以通過添加多Y軸線圖,配置x軸為time、y軸兩條線分別展示uv和pv值,可視化展示資料。
* |
select
time_series(__time__, '2m', '%H:%i', '0') as time,
COUNT(1) as pv,
approx_distinct(remote_addr) as uv
GROUP by
time
ORDER by
time
LIMIT
1000tomcat錯誤請求數量以及與上一小時錯誤請求比較
內層SQL擷取狀態大於等於400的請求數,中介層SQL使用compare函數擷取3600秒前的資料,外層中c1是目前時間的錯誤數量,c2是3600秒前的錯誤數量,c3是c1/c2的比值,用於展示趨勢,您可以配置環形圖,設定c1為顯示值,c3為對比值,可視化展示資料。
status >= 400 |
SELECT
diff [1] AS c1,
diff [2] AS c2,
round(diff [1] * 100.0 / diff [2] - 100.0, 2) AS c3
FROM
(
select
compare(c, 3600) AS diff
from
(
select
count(1) as c
from
log
)
)tomcat中請求數前十的URL展示
通過request_uri分組彙總,計算每個request_uri對應的訪問量,然後按照訪問量倒序排列,取前十條資料,您可以配置基礎計量圖,設定x軸為page,y軸為pv,可視化展示資料。
* |
SELECT
request_uri as page,
COUNT(*) as pv
GROUP by
page
ORDER by
pv DESC
LIMIT
10tomcat的用戶端分類及數量分布
通過user_agent欄位彙總分析,計算出每種用戶端的數量。您可以配置環形圖,設定分類為user_agent,數值列為c,可視化展示資料。
* |
SELECT
user_agent,
COUNT(*) AS c
GROUP BY
user_agent
ORDER BY
c DESCtomcat流出流量統計
使用time_series函數將資料時間對齊,然後彙總時間計算body_bytes_sent的和。您可以配置線圖x軸和y軸,設定x軸為time,y軸為body_sent,可視化展示資料。
* |
select
time_series(__time__, '10s', '%H:%i:%S', '0') as time,
sum(body_bytes_sent) as body_sent
GROUP by
time
ORDER by
time
LIMIT
1000tomcat錯誤請求佔比
在SQL內部擷取請求status超過400的錯誤請求數量以及總的請求數量。在外部計算比值。您可以配置刻度盤,可視化展示資料。
* |
select
round((errorCount * 100.0 / totalCount), 2) as errorRatio
from
(
select
sum(
case
when status >= 400 then 1
else 0
end
) as errorCount,
count(1) as totalCount
from
log
)