Overview
Structured Query Language (SQL) is a programming language used to control database access and manage data in databases. LTS SQL provides statements for querying structured data in log streams. In this document, SQL refers to LTS SQL.
SQL consists of commands and functions that are used to manage databases and database objects. When using this language, comply with the rules for using expressions and texts. In addition to SQL syntax reference, this document also provides information about expressions, functions, and operators. Basic SQL query statements are as follows.
Syntax
SELECT [ ALL | DISTINCT ] { * | exprs }
FROM { <subquery>}
[ WHERE where_condition ]
[ GROUP BY [ col_name_list ]
[ HAVING expr ]
[ ORDER BY expr [ ASC | DESC ], expr [ ASC | DESC ], ... ]
[ LIMIT limit ]
[ OFFSET offset ]Data Types
Table 1 lists the data types supported by SQL query. The data types of fields can be converted as needed. After the data type of a field is converted, the default value is displayed. For example, after a field of the string type is converted to the long type, the default value 0 of the long type is displayed. Similarly, when a null value is converted to a non-null value, the default value is used. For example, when a null value of the string type is converted to a numeric value, the default value 0 is returned.
In the SQL syntax, characters must be enclosed in single quotation marks ('). Fields or table names are either not enclosed or are enclosed in double quotation marks ("). For example, 'msg' indicates the string msg, while msg or "msg" indicates the structured msg field.
Query Statements
|
Statement |
Description |
Example |
|---|---|---|
|
DISTINCT |
Only distinct values are returned. |
SELECT DISTINCT visitCount |
|
FROM |
Indicates the source data set of the queried data. It can be the structured data of the current log stream or a subset of this data. If FROM is not specified, the structured data of the current log stream is queried by default. If the data source to be queried is a subset, you need to compile a subquery statement. |
SELECT visitCount |
|
WHERE |
Specifies the filter criteria. Arithmetic operators, relational operators, and logical operators are supported. You can enter the filtering condition in where_condition. |
SELECT visitCount WHERE visitCount > 0 |
|
GROUP BY |
Specifies the grouping field. Single-field grouping and multi-field grouping are supported. You can enter the structured field list in col_name_list. |
SELECT host, count(*) AS pv WHERE visitCount > 0 GROUP BY host |
|
HAVING |
Used only with GROUP BY. This statement specifies the structured field used to filter the GROUP BY results. |
SELECT host, count(*) AS pv GROUP BY host HAVING pv > 10 |
|
ORDER BY |
Fields that follow must be used for GROUP BY. The query results of GROUP BY can be sorted by any structured field. |
SELECT host, count(*) AS pv GROUP BY host ORDER BY pv |
|
ASC/DESC |
ASC (default) sorts from the lowest value to the highest value. DESC sorts from the highest value to the lowest value. |
SELECT host, count(*) AS pv GROUP BY host ORDER BY pv DESC |
|
LIMIT |
Limits the number of structured logs returned in the query result. A maximum of 100,000 structured logs can be returned for each query. If the LIMIT statement is not used, the latest 100 records in the query result are returned by default. |
SELECT host LIMIT 100 |
Examples
|
Query Requirement |
Query Statement |
|---|---|
|
Standard query |
SELECT "field" WHERE "field" = 'value' |
|
Number of rows |
SELECT count(*) |
|
Column alias |
SELECT count(*) AS "pv" |
|
Deduplication |
SELECT DISTINCT("field") |
|
Pagination |
SELECT "field" LIMIT 100 |
|
Sorting |
SELECT "__time" ORDER BY "__time" |
|
Grouping |
SELECT "field" GROUP BY "field" |
|
Statistics by group |
SELECT "field",count(*) GROUP BY "field" |
|
Fuzzy search |
SELECT "field" LIKE 'value%' |
|
Sum |
SELECT sum("field") |
|
Maximum value |
SELECT max("field") |
|
Minimum value |
SELECT min("field") |
|
Average value |
SELECT avg("field") |
|
SQL nested subquery |
SELECT sum(pv) FROM (SELECT "field",count(*) AS "pv" GROUP BY "field") |
|
HAVING clause filtering |
SELECT "field",count(*) AS "pv" GROUP BY "field" HAVING "pv" > 10 |
|
Query containing GET and POST requests |
SELECT * WHERE "request_method" IN ('GET', 'POST') |
|
Query without GET and POST requests |
SELECT * WHERE "request_method" NOT IN ('GET', 'POST') |
|
Logs of non-GET requests |
SELECT * WHERE "request_method" != 'GET' |
|
Logs of successful GET request with the 200 status code and request time is less than 60 seconds |
SELECT * WHERE "request_method" = 'GET' AND "request_time" < 60 |
|
Logs of requests whose time is greater than or equal to 60 seconds and less than 200 seconds |
SELECT * WHERE "request_ time" >=60 and "request_time" < 200 |
|
Logs of GET or POST requests |
SELECT * WHERE "request_method" = 'GET' OR "request_method" = 'POST' |
The following reference statements contain all basic query syntax and are constructed based on structured logs of Elastic Load Balance (ELB).
SELECT url AS Url, host AS Host, failure_rate AS FailureRate,
CONCAT(CAST(access_count AS varchar), ' times') AS "All",
CONCAT(CAST(rsp_200_count AS varchar), ' times') AS "COUNT_200"
FROM ( SELECT
CONCAT(host, CASE WHEN STRPOS(router_request_uri, '?') = 0 THEN router_request_uri ELSE SUBSTR(router_request_uri, 1, 1) END) AS url,
host,count(1) AS access_count,
SUM(CASE WHEN status = 200 THEN 1 ELSE 0 END) AS "rsp_200_count",
(CASE WHEN COUNT(1) < 30 THEN 0 ELSE round(SUM(CASE WHEN status >= 400 THEN 1 ELSE 0 END) * 100.0 / COUNT(1), 2) END) AS failure_rate
WHERE host NOT IN ('monitor-new.olayc.cn')
GROUP BY host,router_request_uri
HAVING router_request_uri NOT IN ('/robots.txt', '/null', '/undefined')
)
ORDER BY FailureRate DESC
LIMIT 100Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
