Searching and Analyzing Logs

LTS enables you to search and analyze logs simultaneously using a statement that includes a pipe character (|). The syntax consists of three parts: a statement for searching unstructured and semi-structured data, a pipe character (|), and a statement for analyzing structured data, for example, * and msg:"hello world" | SELECT avg(value).

Log Search and Analysis

On the LTS console, choose Log Management in the navigation pane.
In the log group list, click on the left of a log group name.
In the log stream list, click the name of the target log stream.
On the Log Search tab page, view the structuring fields and index fields under Quick Analysis. You can click next to a field to view the metric information. For details, see Creating a Quick Analysis Task.

Figure 1 Structuring fields
When you search through a large amount of log data on the Log Search tab page, LTS automatically initiates an iterative search.
- During an iterative log search, you cannot enter any information in the search box. To pause the iterative search, click Pause. To resume the search, click Continue. You are advised not to initiate a new search task before the current iterative search is complete.
- For iterative searches that take a long time, you can narrow down the time range or add filters to reduce the number of iterative searches.
On the Charts tab page, select a time range in the upper right corner to view raw logs and statistical charts. Enter a search statement and a SQL analysis statement, separated by the pipe character (|), in the search box.

There are three types of time range: relative time from now, relative time from last, and specified time. Select a time range as required.
- From now: queries log data generated in a time range that ends with the current time, such as the previous 1, 5, or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from now, the charts on the dashboard display the log data that is generated from 18:20:31 to 19:20:31.
- From last: queries log data generated in a time range that ends with the current time, such as the previous 1 or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from last, the charts on the dashboard display the log data that is generated from 18:00:00 to 19:00:00.
- Specified: queries log data that is generated in a specified time range.
Set the layout of log data, including whether to display fields or display fields in a simple view.
1. Select Edit layouts from the layout drop-down list to access the layout setting page. The list also contains options such as the default layout, pure layout, and default container log layout, for you to set whether to display fields.
  - Cloud: This mode is applicable to users who have the write permission. Layout information is stored on the cloud.
  - Local Cache: This mode is applicable to users who have only the read permission. Layout information is cached in the local browser.
2. On the displayed Layout page, click + under Layout List to create a custom layout, name it, and configure how fields are displayed in this layout.
3. After the setting is complete, click OK. The new custom layout is displayed in the drop-down list.

Common Log Search Operations

These operations include sharing logs and refreshing logs. For details, see Table 1.

**Table 1** Common operations
Operation	Description
Interactive search	Click Interactive Mode in front of the search box. In the displayed Interactive Search dialog box, select fields for index configuration, set the filtering mode, and add associations and groups. After the setting is complete, you can preview the search syntax.
Creating quick search	Click to create a quick search.
Sharing logs	Click to copy the link of the current log search page to share the logs that you have searched.
Refreshing logs	You can click to refresh logs in two modes: manual refresh and automatic refresh. Manual refresh: Select Refresh Now from the drop-down list. Automatic refresh: Select an interval from the drop-down list to automatically refresh logs. The interval can be 15 seconds, 30 seconds, 1 minute, or 5 minutes.
Copying logs	Click to copy the log content.
Viewing context of a log	Click to view the log context. You can select Simple View to view the log context. You can also download the context.
More operations	Click to access the log details page of the time segment and view more log information. On the Extended Fields tab page, view field names and values. You can also click buttons in the Operation column to add a field to or exclude a field from a query, set whether a field exists or does not exist, or set whether a field is hidden. On the JSON Format tab page, view the JSON format of logs. On the Context Logs tab page, you can set the number of lines to be queried and filtered fields. You can also download logs and enable the summary mode.
Unfold/Fold	Click to display all the log content. This unfold button is enabled by default. Click to fold the log content.
Downloading logs	Click . On the displayed Download Logs page, click Direct Download or Transfer and Download. Direct Download: Download log files to the local PC. Up to 5,000 logs can be downloaded at a time. Select .csv or .txt from the drop-down list and click Download to export logs to the local PC. NOTE: If you select Export .csv, logs are exported as a table. If you select Export .txt, logs are exported as a .txt file. Transfer and Download: Download log files through OBS transfer tasks. Up to 20 million logs can be downloaded at a time. Click Transfer to access the Configure Log Transfer page. For details, see Transferring Logs to OBS.
Hiding/Expanding all	Click to set the number of lines displayed in the log content. Click to hide the log content.
JSON	Move the cursor over , click JSON, and set JSON formatting. Formatting is enabled by default. The default number of expanded levels is 2. Formatting enabled: Set the default number of expanded levels. Maximum value: 10. Formatting disabled: JSON logs will not be formatted for display.
Collapse configuration	Move the cursor over , click Log Collapse, and set the maximum characters to display in a log. If the number of characters in a log exceeds the maximum, the extra characters will be hidden. Click Expand to view all. Logs are collapsed by default, with a default character limit of 400.
Log time display	Move the cursor over and click Log Time Display. On the page that is displayed, set whether to display milliseconds and whether to display the time zone. Milliseconds are displayed by default.
Virtual Scrolling	Move the cursor over and click Virtual Scrolling. On the page that is displayed, set whether to enable virtual scrolling and enter the buffer size. Virtual scrolling eliminates or minimizes frame and page freezing for better user experience. Data is re-rendered during the process. This may affect smoothness. The buffer size determines the amount of data that can be loaded simultaneously. The larger the buffer, the more data loaded simultaneously, but the worse the scrolling performance.
Invisible fields ()	This list displays the invisible fields configured in the layout settings. The button is unavailable for log streams without layout settings configured. If the log content is CONFIG_FILE and layout settings are not configured, the default invisible fields include appName, clusterId, clusterName, containerName, hostIPv6, NameSpace, podName, and serviceID.