Help Center/ Log Tank Service/ User Guide/ Log Search and Analysis/ Analyzing Logs in LTS
Updated on 2024-11-18 GMT+08:00
View PDF
Share

Analyzing Logs in LTS

After you structure logs, wait 1 to 2 minutes and then you can query and analyze the structured logs using SQL statements and visualize the query results.

Currently, this function is available to all users in regions CN South-Guangzhou, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN-Hong Kong, CN Southwest-Guiyang1, AP-Singapore, CN North-Beijing1, and AP-Bangkok. It is also available to whitelisted users in regions CN South-Shenzhen, ME-Riyadh, and AP-Jakarta.

Prerequisites

  • Logs have been collected.
  • Logs have been structured. For details, see Setting Cloud Structuring Parsing.

    If a structured field shares a name with one of the reserved fields for SQL such as time, select, and where, or its name contains hyphens (-), underscores (_), and periods (.), you need to double-quote the field during SQL query.

Analyzing Logs

  1. Log in to the LTS console. The Log Management page is displayed by default.
  2. Click the target log group or stream. The log stream details page is displayed.
  3. Click the Log Analysis tab.
  4. This tab page provides interactive analysis. You can use simple analysis statements to query visualized data and configure visualized charts. You can also set filters, add metrics and groups, and enable sorting for data analysis.

  5. Select a time range, enter a SQL statement by referring to SQL Analysis Syntax, and click Search. The search results will be displayed in various charts in the lower part.

    There are three types of time range: relative time from now, relative time from last, and specified time. Select a time range as required.
    • From now: queries log data generated in a time range that ends with the current time, such as the previous 1, 5, or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from now, the charts on the dashboard display the log data that is generated from 18:20:31 to 19:20:31.
    • From last: queries log data generated in a time range that ends with the current time, such as the previous 1 or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from last, the charts on the dashboard display the log data that is generated from 18:00:00 to 19:00:00.
    • Specified: queries log data that is generated in a specified time range.
    • SQL query constraints are as follows:
      1. A maximum of 100,000 records can be returned for each query.
      2. When the number of aggregation results exceeds 100,000, the aggregation results may be inaccurate.
    • There are some restrictions when you use a string in a WHERE clause.
      1. The value should be enclosed by single quotation marks (') for exact match, and by single or double quotation marks (") for fuzzy search. If the key shares a name with one of the SQL reserved fields, enclose the key with double quotation marks (").
      2. Recommended formats: WHERE "Key"= 'Value' and WHERE "Key" like ' %Value%'
    • There are no restrictions on float and long types in WHERE clauses. However, you are still advised to use the formats described above to avoid query exceptions caused by keyword conflicts.
    • You can drag the log search box to adjust its height.
    • After entering the search syntax, you can click to set the formatting SQL statement and reverse formatting SQL statement to optimize the search statement and improve the search efficiency.

  6. If the number of logs generated within the specified time range exceeds 1 billion, iterative query is triggered so you can view all logs in multiple queries. The message Query status: Results are accurate is displayed.

  7. Select a chart to present the query result. For details, see Visualizing Logs in Statistical Charts.
  8. You can perform the following operations on the query result:

    • Click Create. In the displayed Create Chart dialog box, set Chart Name and enable Add to Dashboard as required, and click OK to save the visual chart.
    • Click Save. In the displayed Save Chart dialog box, set Chart Name and enable Add to Dashboard as required, and click OK to save the visual chart. Select a chart and click Save, to modify the chart.
    • Click Save As. In the displayed dialog box, set Chart Name and enable Add to Dashboard as required, and click OK to copy the existing visual chart.

      You must save a chart before saving it as a visual chart.

    • Click Download to download the visual data of the current SQL query result. The file is in .csv format.
    • Click . In the displayed Create Alarm Rule dialog box, configure SQL alarm rules for the selected visual chart.

      You can create an alarm rule only after saving the chart.

    • Click Show Chart to expand the visual charts of the current log stream. Click Show Chart again to collapse the visual charts of the current log stream.

Parent topic: Log Search and Analysis