Category | Description | Configuration Method |
Full-Text Index | A raw log is split into multiple segments, and indexes are created based on the segments. You can query logs based on keywords (full-text search). For example, entering error means to search for logs that contain the keyword error. | Console: Enable full-text index on the index configuration page. |
Key-Value Index | A raw log is split into multiple segments based on a field (key:value), and indexes are created based on the segments. You can query logs based on key-value (key-value search). For example, entering level:error means to search for logs with a level field whose value contains error. | Console: On the index configuration page, enable key-value index and enter the field name (`key`), such as level. |
Metadata Index | A metadata index is also a key-value index, but the field name is prefixed with __TAG__. Metadata indexes are usually used to classify logs.For example, entering __TAG__.region:"ap-beijing" means to search for logs with a region field whose value is ap-beijing. | Console: On the index configuration page, enable key-value index and enter the metadata field name (`key`), such as __TAG__.region. |
__CONTENT__
field and supports only full-text index configuration. If you need to configure key-value indexes for some content in the log or enable statistics, you need to perform log structuring and use log extraction modes other than full text in a single line or full text in multi lines.Configuration Item | Description |
Full-Text Delimiter | A set of characters that split the raw log into segments. Only English symbols are supported. Default delimiters in the console are @&?|#()='",;:<>[]{}/ \\n\\t\\r. Note: If a segment is too long, an index will be created only for the first 10,000 characters, and the excessive part cannot be found. However, the complete log will be stored. |
Case Sensitivity | Specifies whether log search is case-sensitive.For example, if a log is Error and log search is case-sensitive, the log cannot be matched by error. |
Allow Chinese Characters | This feature can be enabled when logs contain Chinese characters and the Chinese characters need to be searched. For example, if the original text of a log is in Chinese, and this feature is disabled, you cannot query the log by using a Chinese keyword contained in the original text. The query can be successful only if you use the exact raw log text to query the log. However, if you enable this feature, you can query the log by using a Chinese keyword contained in the raw log text. |
10.20.20.10;[2018-07-16 13:12:57];GET /online/sample HTTP/1.1;200
IP: 10.20.20.10request: GET /online/sample HTTP/1.1status: 200time: [2018-07-16 13:12:57]
@&()='",;:<>[]{}/ \\n\\t\\r
(including space), all field values in the raw log will be segmented into the following keywords (each line denotes a keyword):10.20.20.10GETonlinesampleHTTP1.12002018-07-16131257
\\/online\\/login
\\
is used to escape the /
symbol (this symbol is a reserved symbol of the search syntax and therefore needs to be escaped)./
symbol is a delimiter, so the actual search condition is online OR login
. A log containing online
or login
is considered to meet the search condition."/online/login"
/
symbol does not need to be escaped.login
and therefore does not meet the search condition."/online/sample"
online
and sample
in the exact order as that in the search condition and therefore is considered to meet the search condition.key:value
, for example, status:200
. If no field name is specified, a full-text search will be performed.Built-in Reserved Field | Description |
__FILENAME__ | Filename for log collection, which can be used to search for logs in a specified file. For example, you can use __FILENAME__:/"var/log/access.log" to search for logs from the /var/log/access.log file. |
__SOURCE__ | Source IP for log collection, which can be used to search for logs of a specified server. For example, you can use __SOURCE__:192.168.10.10 to search for the logs of the server whose IP is 192.168.10.10 . |
__HOSTNAME__ | The server name of the log, which can be used to search for logs of a specified server. Only LogListener 2.7.4 or later can collect this field. |
__TIMESTAMP__ | Log timestamp (UNIX timestamp in milliseconds). When a log is searched by time range, the system automatically searches for the log by this time and displays the time as the log time on the console. |
__PKG_LOGID__ | Log ID in a log group. This ID is used for context search. You are not recommended to use this ID alone. |
Configuration Item | Description | Remarks |
Field Name | Note: You can add up to 300 fields for a key-value index of a log topic. | - |
Data Type | Data type of the field. There are three types: text , long , and double . The text type supports fuzzy search by wildcard, while the long and double types support range search.Note: 1. Fields of the long type support a data range of -1E15 to 1E15. Data out of the range may lose certain decimal places or not be matched. In the case of index configuration for a super long numeric field, we recommend that you:store the field as the text type if you don't need to search for it by comparing it with the numeric range.store the field as the double type if you need to do so, which may lose certain decimal places.2. Fields of the double type support a data range of -1.79E+308 to +1.79E+308. If the number of code characters of the floating-point number exceeds 64, decimal places will be lost. | long - Integer type (Int 64) double - Floating point (64 bit) double text - String |
Delimiter | A set of characters that split the field value into segments. Only English symbols are supported. Note: If a segment is too long, an index will be created only for the first 10,000 characters, and the excessive part cannot be found. However, the complete log will be stored. | Default delimiters in the console: @&?|#()='",;:<>[]{}/ \\n\\t\\r |
Allow Chinese Characters | This feature can be enabled when fields contain Chinese characters and the Chinese characters need to be searched. For example, if the original text of a log is in Chinese, and this feature is disabled, you cannot query the log by using a Chinese keyword contained in the original text. The query can be successful only if you use the exact raw log text to query the log. However, if you enable this feature, you can query the log by using a Chinese keyword contained in the raw log text. | - |
Enable Statistics | After it is toggled on, SQL statistical analysis can be performed on the field, such as group by ${key} and sum(${key}) .Note: If it is toggled on for a field of the `text` type and the value is too long, only the first 32,766 characters will be included in the statistical calculation (SQL). If the field contains Chinese characters, the log will be lost if the value contains more than 32,766 characters. We recommend that you toggle the feature off in this case. | This feature is part of the key-value index feature and therefore is not billed separately. |
Case Sensitivity | Specifies whether log search is case-sensitive.For example, if a log is level:Error and log search is case-sensitive, the log cannot be matched by level:error . | - |
10.20.20.10;[2018-07-16 13:12:57];GET /online/sample HTTP/1.1;200
IP: 10.20.20.10request: GET /online/sample HTTP/1.1status: 200time: [2018-07-16 13:12:57]
Field Name | Field Type | Delimiter | Allow Chinese Characters | Enable Statistics |
IP | text | @&()='",;:<>[]{}/ \\n\\t\\r | No | Yes |
request | text | @&()='",;:<>[]{}/ \\n\\t\\r | No | Yes |
status | long | None | No | Yes |
time | text | @&()='",;:<>[]{}/ \\n\\t\\r | No | Yes |
request:\\/online\\/login
\\
is used to escape the /
symbol (this symbol is a reserved symbol of the search syntax and therefore needs to be escaped)./
symbol is a delimiter, so the actual search condition is online OR login
. A log containing online
orlogin
is considered to meet the search condition.request:"/online/login"
/
symbol does not need to be escaped.login
and therefore does not meet the search condition.request:"/online/sample"
online
and sample
in the exact order as that in the search condition and therefore is considered to meet the search condition.request:"/online/login" | select count(*) as logCounts
request
is "/online/login".* | select count() as logCounts,request group by request order by count() desc limit 10 Get the top 10 requests with the largest number of log entries.
LogTag
field (for more information, see the LogTag
field in Uploading Log via API), while the raw log content is passed through the Log
field. A metadata index needs to be configured for all data which is passed via LogTag
. A metadata index is a key-value index in essence, adopting the same indexing rules and configuration methods as key-value indexes. The only difference is that the metadata field in a metadata index is identified by the specific prefix __TAG__.
. For example, the region
metadata field is indexed as __TAG__.region
.10.20.20.10;[2018-07-16 13:12:57];GET /online/sample HTTP/1.1;200
region:ap-beijing
, the structured log uploaded to CLS will be as follows:IP: 10.20.20.10request: GET /online/sample HTTP/1.1status: 200time: [2018-07-16 13:12:57]__TAG__.region:ap-beijing
Field Name | Delimiter |
__TAG__.region | @&()='",;:<>[]{}/ \\n\\t\\r |
__TAG__.region:"ap-beijing"
, the sample log can be returned.Configuration Item | Description | Recommended Configuration |
Include built-in reserved fields in full-text index | Contain: The full-text index contains built-in fields __FILENAME__ , __HOSTNAME__ , and __SOURCE__ , and full-text search and key-value search are supported, such as "/var/log/access.log" and __FILENAME__:"/var/log/access.log" .Not contain: The full-text index does not contain the aforementioned built-in fields, and only key-value search can be used, such as __FILENAME__:"/var/log/access.log" . | Contain |
Include metadata fields in full-text index | Contain: The full-text index contains all metadata fields (those prefixed with __TAG__ ), and log fields can be searched for directly with full-text search, such as ap-beijing .Not contain: The full-text index does not contain any metadata fields, and log fields can be searched for only with key-value search, such as __TAG__.region:ap-beijing . Key-value search is not supported for infrequent log topics, and fields cannot be searched for in this case.Contain only metadata fields with key-value index enabled: The full-text index contains metadata fields with key-value index enabled but not metadata fields with key-value index disabled. This option is not available for infrequent log topics. | Contain |
Log storage rule in case of index creation exception | In case of any exception during index creation for logs, CLS will store raw logs in __RAWLOG__ to avoid log loss. If index creation fails only for certain fields, the failed part can be stored in the specified field (which is RAWLOG_FALL_PART by default). For more information, see Handling rule for a log index creation exception. | Enable |
kye1
is a common field, and kye2
and kye3
are nested JSON fields.{"kye1": "http://www.example.com","kye2": {"address": {"country": "China","city": {"name": "Beijing","code": "065001"}},"contact": {"phone": {"home": "188xxxxxxxx","work": "187xxxxxxxx"},"email": "xxx@xxx.com"}},"kye3": {"address": {"country": "China","city": {"name": "Beijing","code": "065001"}},"contact": {"phone": {"home": "188xxxxxxxx","work": "187xxxxxxxx"},"email": "xxx@xxx.com"}}}
kye1
and kye2.address
fields but not the kye3
field.kye2.address
is displayed as a string, and its attributes and objects are not further expanded.kye2.contact
is not configured with a key-value index, because kye2.address
is configured with an index, kye2.contact
as an object at the same level as kye2.address
is also displayed as a string.kye3
is not configured with a key-value index, and therefore its attributes and objects are not expanded.Results
parameter in the output parameters is as follows (other parameters are not affected and remain unchanged):{"Time": 1645065742008,"TopicId": "f813385f-aee0-4238-xxxx-c99b39aabe78","TopicName": "TestJsonParse","Source": "172.17.0.2","FileName": "/root/testLog/jsonParse.log","PkgId": "5CB847DA620DB3D4-10D","PkgLogId": "65536","HighLights": [],"Logs": null,"LogJson": "{\\"kye1\\":\\"http://www.example.com\\",\\"kye2\\":{\\"address\\":\\"{\\\\\\"country\\\\\\":\\\\\\"China\\\\\\",\\\\\\"city\\\\\\":{\\\\\\"name\\\\\\":\\\\\\"Beijing\\\\\\",\\\\\\"code\\\\\\":\\\\\\"065001\\\\\\"}}\\",\\"contact\\":\\"{\\\\\\"phone\\\\\\":{\\\\\\"home\\\\\\":\\\\\\"188xxxxxxxx\\\\\\",\\\\\\"work\\\\\\":\\\\\\"187xxxxxxxx\\\\\\"},\\\\\\"email\\\\\\":\\\\\\"xxx@xxx.com\\\\\\"}\\"},\\"kye3\\":\\"{\\\\\\"address\\\\\\":{\\\\\\"country\\\\\\":\\\\\\"China\\\\\\",\\\\\\"city\\\\\\":{\\\\\\"name\\\\\\":\\\\\\"Beijing\\\\\\",\\\\\\"code\\\\\\":\\\\\\"065001\\\\\\"}},\\\\\\"contact\\\\\\":{\\\\\\"phone\\\\\\":{\\\\\\"home\\\\\\":\\\\\\"188xxxxxxxx\\\\\\",\\\\\\"work\\\\\\":\\\\\\"187xxxxxxxx\\\\\\"},\\\\\\"email\\\\\\":\\\\\\"xxx@xxx.com\\\\\\"}}\\"}"}
kye2.address
is a string, so its value is escaped as a string.kye2.contact
is an object at the same level as kye2.address
, and although kye2.contact
is not configured with a key-value index, its value is also escaped as a string.kye3
is not configured with a key-value index and is escaped as a string as a whole.{"Time": 1645065742008,"TopicId": "f813385f-aee0-4238-xxxx-c99b39aabe78","TopicName": "zhengxinTestJsonParse","Source": "172.17.0.2","FileName": "/root/testLog/jsonParse.log","PkgId": "25D0A12F620DBB64-D3","PkgLogId": "65536","HighLights": [],"Logs": null,"LogJson": "{\\"kye1\\":\\"http://www.example.com\\",\\"kye2\\":{\\"address\\":\\"{\\\\\\"city\\\\\\":{\\\\\\"code\\\\\\":\\\\\\"065001\\\\\\",\\\\\\"name\\\\\\":\\\\\\"Beijing\\\\\\"},\\\\\\"country\\\\\\":\\\\\\"China\\\\\\"}\\",\\"contact\\":{\\"phone\\":{\\"work\\":\\"187xxxxxxxx\\",\\"home\\":\\"188xxxxxxxx\\"},\\"email\\":\\"xxx@xxx.com\\"}},\\"kye3\\":{\\"address\\":{\\"country\\":\\"China\\",\\"city\\":{\\"code\\":\\"065001\\",\\"name\\":\\"Beijing\\"}},\\"contact\\":{\\"phone\\":{\\"work\\":\\"187xxxxxxxx\\",\\"home\\":\\"188xxxxxxxx\\"},\\"email\\":\\"xxx@xxx.com\\"}}}"}
__RAWLOG__
for exception handling. This avoids log loss. __RAWLOG__
supports only full-text search (full-text index needs to be enabled) but not key-value search, key-value index, and statistical analysis. After full-text index is enabled, index traffic, index storage, and fees will still be calculated according to the full text of the raw log for the abnormal log, without additional fees.__RAWLOG__
field, and only full-text search can be used.__RAWLOG__
field and certain fields with a successfully created index (these fields support properly configuring key-value index and statistical analysis). In Index Configuration > Advanced Settings, you can also store abnormal fields in the specified field (which is RAWLOG_FALL_PART
by default and supports configuring key-value index and statistical analysis).
문제 해결에 도움이 되었나요?