|
. To search for logs only without statistical analysis, omit the vertical bar |
and SQL statement.[Search condition] | [SQL statement]
status:404
to search for application request logs with response status code 404. If the search condition is empty or *
, it indicates there is no search condition, and all logs are searched for.status:404 | select count(*) as logCounts
to count the number of logs with response status code 404. SQL statements must comply with SQL-92. For more information on syntax rules, see SQL Statement Syntax Rules.error
to search for all logs that contain error
.level:error
to search for logs whose log level is error.errorMessage
cannot be matched with error
, as they are different segments. In this case, you need to add a wildcard and search for it with error*
. For more information on segments and examples, see Segment and Index.Syntax | Description |
AND | Logical AND operator, such as level:ERROR AND pid:1234 . |
OR | Logical OR operator, such as level:ERROR OR level:WARNING . |
NOT | Logical NOT operator, such as level:ERROR NOT pid:1234 . |
() | Grouping operator, which controls the precedence of logical operations, such as (ERROR OR WARNING) AND pid:1234 . |
: | Colon, which is used for key-value search, such as level:ERROR . |
"" | Double quotation marks, which quote a phrase to match logs that contain all the words in the phrase and in the same sequence, such as name:"john Smith" . |
* | Wildcard, which is used to replace zero, one, or more characters, such as host:www.test*.com .You can also use key:* to query logs where the specified field (key ) exists. key:* is equivalent to _exists_:key . |
? | Wildcard, which can match one single character, such as host:www.te?t.com . Similar to * , it does not support prefix fuzzy queries. |
> | Range operator, which indicates the left operand is greater than the right operand, such as status:>400 . |
>= | Range operator, which indicates the left operand is greater than or equal to the right operand, such as status:>=400 . |
< | Range operator, which indicates the left operand is less than the right operand, such as status:<400 . |
<= | Range operator, which indicates the left operand is less than or equal to the right operand, such as status:<=400 . |
TO | Logical TO operator, such as request_time:[0.1 TO 1.0] . |
[] | Range operator, which includes the upper and lower boundary values, such as age:[20 TO 30] . |
{} | Range operator, which excludes the upper and lower boundary values, such as age:{20 TO 30} . |
\\ | Escape character. An escaped character represents the literal meaning of the character, such as url:\\/images\\/favicon.ico .You can also use "" to wrap special characters as a whole, e.g., url:"/images/favicon.ico" . Note that the characters in the double quotation marks are considered as a phrase to match logs that contain all the words in the phrase and in the same sequence. |
_exists_ | \\_exists\\_:key returns logs that contains key . For example, _exists_:userAgent means to return logs that contains the userAgent field. |
AND
and OR
represent logical search operators, while and
and or
are regarded as common text.OR
logic. For example, warning error
is equivalent to warning OR error
.()
to group search conditions and clarify the precedency when using the "AND" and "OR" operators, such as (ERROR OR WARNING) AND pid:1234
.Scenario | Statement |
Logs from a specified server | __SOURCE__:127.0.0.1 or __SOURCE__:192.168.0.* |
Logs from a specified file | __FILENAME__:"/var/log/access.log" or __FILENAME__:\\/var\\/log\\/*.log |
Logs containing ERROR | ERROR |
Logs of failures (with a status code greater than 400) | status:>400 |
Failed logs in the GET request (with a status code greater than 400) | method:GET AND status:>400 |
Logs at ERROR or WARNING level | level:ERROR OR level:WARNING |
Logs except those at INFO level | NOT level:INFO |
Logs from 192.168.10.10 but except those at INFO level | __SOURCE__:192.168.10.10 NOT level:INFO |
Logs from the /var/log/access.log file on 192.168.10.10 but except those at INFO level | (__SOURCE__:192.168.10.10 AND __FILENAME__:"/var/log/access.log.*") NOT level:INFO |
Logs from 192.168.10.10 and at ERROR or WARNING level | __SOURCE__:192.168.10.10 AND (level:ERROR OR level:WARNING) |
Logs with a status code of 4XX | status:[400 TO 500} |
Logs with the container name nginx in the metadata | __TAG__.container_name:nginx |
Logs with the container name nginx in the metadata, and request latency greater than 1s | __TAG__.container_name:nginx AND request_time:>1 |
Logs containing the message field | message:* or _exists_:message |
Logs that do not contain the message field | NOT _exists_:message |
*
to match zero, single, or multiple characters, or using the question mark ?
to match a single character. The following are examples:IP:192.168.1.*
can be used to match 192.168.1.1
and 192.168.1.34
.host:www.te*t.com
can be used to match www.test.com
and www.telt.com
.*
or question mark ?
cannot be used at the beginning of a word, i.e. prefix fuzzy searches are not supported.long
or double
type does not support an asterisk *
or question mark ?
for fuzzy search, but it supports a value range for fuzzy search, such as status:[400 TO 500}
.host:www.test.com
, host:m.test.com
, and you need to query logs containing test
in the middle, you can add the prefix .
to search for logs with host:test
.LIKE
syntax: For example, you can use * | select * where host like '%test%'
. However, this method delivers lower performance than the search condition method and is not suitable for scenarios with large volume of log data.Syntax | Description |
key:value | Key-value search, which indicates to query logs with a key field whose value contains the value , such as level:ERROR . |
value | Full-text search, which indicates to query logs with the full text containing the value , such as ERROR . |
AND | Logical AND operator, which is case-insensitive, such as level:ERROR AND pid:1234 . |
OR | Logical OR operator, which is case-insensitive, such as level:ERROR OR level:WARNING . |
NOT | Logical NOT operator, which is case-insensitive, such as level:ERROR NOT pid:1234 . |
() | Parentheses, which control the precedence of logical operations, such as level:(ERROR OR WARNING) AND pid:1234 . |
" " | Phrase search, which encloses a string in double quotation marks to match logs that contain all the words in the string in the same sequence, such as name:"john Smith" .A phrase search has no logical operators, and the phrase used is equivalent to the query character, such as name:"and" . |
' ' | Phrase search, which encloses a string in single quotation marks and is equivalent to "" . When the phrase to be searched for contains double quotation marks, single quotation marks can be used to enclose the phrase to avoid syntax errors, such as body:'user_name:"bob"' . |
* | Fuzzy search, which is used to match zero, one, or multiple characters, such as host:www.test*.com . Fuzzy prefix search is not supported. |
> | Range operator, which indicates the left operand is greater than the right operand, such as status>400 or status:>400 . |
>= | Range operator, which indicates the left operand is greater than or equal to the right operand, such as status>=400 or status:>=400 . |
< | Range operator, which indicates the left operand is less than the right operand, such as status<400 or status:<400 . |
<= | Range operator, which indicates the left operand is less than or equal to the right operand, such as status<=400 or status:<=400 . |
= | Range operator, which indicates the left operand is equal to the right operand, such as status=400 (equivalent to status:400 ). |
\\ | Escape symbol. An escaped character represents the literal meaning of the character. If the value searched for contains spaces, : , " , ' , or * , it needs to be escaped, such as body:user_name\\:bob .If single or double quotation marks are used for a phrase search, you only need to escape * and ' or " respectively.* that is not escaped represents a fuzzy search. |
key:* | Field of the text type: Queries logs containing the field (key ), no matter whether the value is empty, such as url:* .Field of the long /double type: Queries logs containing the field (key ) whose value is not empty, such as response_time:* . |
key:"" | Field of the text type: Queries logs containing the field (key ) whose value is empty (the value is also empty if it contains only delimiters), such as url:"" .Field of the long /double type: Queries logs not containing the field (key ) or containing the field whose value is empty (equivalent to NOT key:* ). |
Scenario | Statement |
Logs from a specified server | __SOURCE__:127.0.0.1 or __SOURCE__:192.168.0.* |
Logs from a specified file | __FILENAME__:"/var/log/access.log" |
Logs containing ERROR | ERROR |
Logs of failures (with a status code greater than 400) | status>400 |
Logs of failed GET requests (with a status code greater than 400) | method:GET AND status>400 |
Logs at ERROR or WARNING level | level:(ERROR OR WARNING) |
Logs except those at INFO level | NOT level:INFO |
name:"john Smith"
and filepath:"/var/log/access.log"
. Compared with searches without quotation marks, a phrase search means that the matched logs should contain all the words in the string and in the same sequence as required in the search condition./
:#1 filepath:"/var/log/access.log"#2 filepath:"/log/var/access.log"
filepath:/var/log/access.log
for search, the above two logs will be matched, as it does not involve the sequence of words.filepath:"/var/log/access.log"
for search, only the first log will be matched.filepath:"/var/log/acc*.log"
but not in the beginning of words such as filepath:"/var/log/*cess.log"
.*
to match zero, one, or multiple characters, for example:IP:192.168.1.*
can be used to match 192.168.1.1
and 192.168.1.34
.host:www.te*t.com
can be used to match www.test.com
and www.telt.com
.*
cannot be used at the beginning of a word; that is, fuzzy prefix search is not supported.long
or double
type support a value range but not the asterisk *
for a fuzzy search, such as status>400 and status<500
.host:www.test.com
, host:m.test.com
, and you need to query logs containing test
in the middle, you can add the prefix .
to search for logs with host:test
.LIKE
syntax: for example, you can use * | select * where host like '%test%'
. However, this method delivers lower performance than the search condition method and is not suitable for scenarios with large volume of log data.filepath:"/var/log/acc*.log"
but not in the beginning of words such as filepath:"/var/log/*cess.log"
. In addition, wildcards in phrase searches can only match the first 128 words meeting the search condition and return all logs containing these 128 words. The more specific the words, the more accurate the results. This restriction is not applicable to non-phrase searches.Feature | Lucene | CQL |
Logical operator | Only uppercase letters are supported, such as AND , NOT , and OR . | Both uppercase and lowercase letters are supported, such as AND , and , NOT , not , OR, and or . |
Symbol escape | Many symbols need to be escaped. For example, to search for /book/user/login/ , you need to escape it as \\/book\\/user\\/login\\/ . | Few symbols need to be escaped, and you can search for /book/user/login/ directly. |
Keyword search | The logical relationship between segments in a keyword is OR . For example, if the delimiter is / , /book/user/login/ is equivalent to book OR user OR login , and many irrelevant logs will be matched. | The logical relationship between segments in a keyword is AND . For example, if the delimiter is / , /book/user/login/ is equivalent to book AND user AND login , which is in line with search habits. |
Phrase search | Phrase searches do not support wildcards. For example, "/book/user/log*/" cannot match /book/user/login/ and /book/user/logout/ . | Phrase searches support wildcards. For example, "/book/user/log*/" can match /book/user/login/ and /book/user/logout/ . |
Regex search | Regular expressions are supported to search by keyword. | Regular expressions are not supported. |
Numeric range search | The syntax in the format of timeCost:[20 TO 30] is supported. | The syntax in the format of timeCost:[20 TO 30] is not supported, and you need to use timeCost>=20 AND timeCost<=30 . |
Syntax | Description |
Selects data from a table. It selects eligible data from the current log topic by default. Example: `level:ERROR | |
Specifies an alias for a column (KEY). Example: `level:ERROR | |
Combines aggregate functions to group results based on one column (KEY) or more. Example: `level:* | |
Sorts results according to the specified KEY . Example: `level:* | |
Limits the amount of data returned by the SELECT statement. Example: `level:* | |
Filters the original data found. Example: `level:ERROR | |
Filters grouped and aggregated data. The difference between HAVING and WHERE is that HAVING is executed on data after grouping (GROUP BY ) and before ordering (ORDER BY ) while WHERE is executed on the original data before aggregate. Example: `level:* | |
In some complex statistical analysis scenarios, you need to perform statistical analysis on the original data first and then perform secondary statistical analysis on the analysis results. In this case, you need to nest a SELECT statement into another SELECT statement. This query method is called nested subquery. Example: `* |
SELECT
is equivalent to select
.''
, while characters that are unsigned or included in double quotation marks ""
indicate field or column names. For example, 'status'
indicates the string status
, while status
or "status"
indicates the log field status
.'
, you need to use ''
(two single quotation marks) to represent the single quotation mark itself. For example '{''version'': ''1.0''}'
indicates the raw string {'version': '1.0'}. No special processing is required if the string itself contains a double quotation mark "
.Syntax | Description |
String concatenation, splitting, length calculation, case conversion, and more. | |
Time format conversion, statistics by time, time interval calculation, and more. | |
Parsing IPs to obtain geographic information and more. | |
Obtaining domain names and parameters from URLs, encoding/decoding URLs, and more. | |
Calculating the log count, maximum value, minimum value, average value, and more. | |
Calculating the number of unique values, percentile values (e.g., p95/p90), and more. | |
Variable type conversion; often used in functions that have special requirements on the variable types of parameters. | |
AND, OR, NOT, and other logical operations. | |
Mathematical operators (+, -, *, /, etc.) and comparison operators (>, <, etc.). | |
Condition determination expressions such as CASE WHEN and IF. | |
Getting the elements in an array, and more. | |
Comparing the calculation result of the current time period with the calculation result of a time period n seconds before. | |
Getting JSON objects, converting JSON types, and more. |
Scenario | Statement |
Number of logs of failed GET requests (with a status code greater than 400) | `method:GET AND status:>400 |
Number of logs of failed GET requests (with a status code greater than 400) per minute | `method:GET AND status:>400 |
Top five URLs with the largest number of requests | `* |
URLs with an average response time of greater than 1,000 ms in descending order | `* |
Percentage of failed requests | `* |
Percentage of failed requests of each URL in descending order | `* |
Number of requests of each province | `* |
Metric | Limit | Remarks |
Number of SQL results | Each SQL execution can return up to 10,000 results. | |
Memory usage | Each SQL execution can occupy up to 3 GB of server memory. | Usually, this limit can be triggered when group by , distinct() , or count(distinct()) is used, because the fields with statistics collected have too many values after deduplication via group by or distinct() . We recommend that you optimize the query statement and use fields with fewer values for group statistics, or use approx_distinct() instead of count(distinct()) . |
Apakah halaman ini membantu?