Log Search

Follow the directions below to search logs by keyword and time range:

1. On the LTS console, choose Log Management in the navigation pane on the left.
2. In the log group list, click on the left of a log group name.
3. In the log stream list, click a log stream name.
   Figure 1 Log details
   
4. Above the search box, select a time range.
   There are three types of time range: relative time from now, relative time from last, and specified time. Select a time range as required.

   

   • From now: queries log data generated in a time range that ends with the current time, such as the previous 1, 5, or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from now, the charts on the dashboard display the log data that is generated from 18:20:31 to 19:20:31.
   • From last: queries log data generated in a time range that ends with the current time, such as the previous 1 or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from last, the charts on the dashboard display the log data that is generated from 18:00:00 to 19:00:00.
   • Specified: queries log data that is generated in a specified time range. The time range can be up to three months for common users and six months for whitelisted users. If necessary, submit a service ticket to extend the time range to six months.
5. On the log stream details page, you can search for logs using the following methods:
   1. In the search area, click the search box, enter a keyword or select a field or keyword from the drop-down list, and click Search.

      Logs that contain the keyword are displayed on the Raw Logs tab page.

      

      • Built-in reserved fields include appName, category, clusterId, clusterName, and collectTime. By default, the fields are displayed in simplified mode, and hostIP, hostName, and pathFile are displayed at the beginning. For details, see Built-in Reserved Fields.
      • The structuring fields are displayed in key:value format.
      • If there is too much content in the log search box, the content can be automatically wrapped and displayed in multiple lines.
      • The height of the search box can be fixed.
   2. On the Raw Logs page, the bar chart of the log quantity in different time segments is displayed. The scale of the log quantity is displayed next to the bar chart.
      

      If the embedding function is used, you can collapse or expand the log quantity statistics chart. For details about embedded parameters, see LTS Address.

   3. On the Raw Logs page, click a field in blue in the log content. You can select Copy, Add To Search, and Exclude from Search from the displayed drop-down list.
   4. Click a field for which quick analysis has been created to add it to the search box.
      

      If the field you click already exists in the search box, it will be replaced by this newly added one. If the field is added for the first time, fields in the search box are searched using the AND operator.

   5. In the search area, press the up and down arrows on the keyboard to select a keyword or search syntax from the drop-down list, press Tab or Enter to select a keyword or syntax, and click Search.
6. Under the log content, click in front of the time. Structured fields can be displayed in table or JSON format.
   • On the Table tab page, you can search for logs by adding a field to a query or excluding a field from a query, or through whether a field exists, whether a field does not exist, or whether a field is hidden. For details, see Search Syntax.
   • On the JSON tab page, you can view or copy a log.
7. Set the layout.

   

   1. Select All layouts from the drop-down list. The layout setting page is displayed. The layout list contains the default layout, pure layout, and default layout of container logs. You can set whether to display fields on the layout.

      Cloud: This mode is applicable to users who have the write permission. Layout information is stored on the cloud.

      Local Cache: This mode is applicable to users who have only the read permission. Layout information is cached in the local browser.

      

   2. Click to add a custom layout and set the layout name and visibility of layout fields.
   3. After the setting is complete, click OK. The new custom layout is displayed in the drop-down list.

      

Common Log Search Operations

Log search operations include sharing logs and refreshing logs.

Table 1 Common operations

Operation	Description
Interactive search	Click in front of the search box. In the displayed Interactive Search dialog box, select fields for index configuration, set the filtering mode, and add associations and groups. After the setting is complete, you can preview the search syntax.
Creating quick search criteria	Click to create a quick search.
Viewing dashboards	Click to view the dashboard you created.
Adding alarm rules	Click and add an alarm rule on the displayed page.
Sharing logs	Click to copy the link of the current log search page to share the logs that you have searched.
Refreshing logs	You can click to refresh logs in two modes: manual refresh and automatic refresh. Manual refresh: Select Refresh Now from the drop-down list. Automatic refresh: Select an interval from the drop-down list to automatically refresh logs. The interval can be 15 seconds, 30 seconds, 1 minute, or 5 minutes.
Copying logs	Click to copy the log content.
Viewing context of a log	Click to view the log context. NOTE: You can select Simple View to view the log context. You can also download the context.
Simplifying field details	Click to view the simplified field details.
Unfold/Fold	Click to display all the log content. Click to fold the log content. NOTE: Unfold is enabled by default.
Downloading logs	Click . On the displayed Download Logs page, click Direct Download. Direct Download: Download log files to the local PC. Up to 5,000 logs can be downloaded at a time. Select .csv or .txt from the drop-down list and click Download to export logs to the local PC. NOTE: If you select Export .csv, logs are exported as a table. If you select Export .txt, logs are exported as a .txt file.
Collapse all/Expand all	Click to set the number of lines displayed in the log content. Click to close it. NOTE: By default, logs are not collapsed, and two rows of logs are shown after collapsing. You can display up to six rows.
JSON	Move the cursor over , click JSON, and set JSON formatting. NOTE: Formatting is enabled by default. The default number of expanded levels is 2. Formatting enabled: Set the default number of expanded levels. Maximum value: 10. Formatting disabled: JSON logs will not be formatted for display.
Collapse configuration	Move the cursor over , click Log Collapse, and set the maximum characters to display in a log. If the number of characters in a log exceeds the maximum, the extra characters will be hidden. Click Expand to view all. NOTE: Logs are collapsed by default, with a default character limit of 400.
Log time display	Move the cursor over and click Log time display. On the page that is displayed, set whether to display milliseconds and whether to display the time zone. NOTE: By default, the function of displaying milliseconds is enabled.
Invisible fields ()	This list displays the invisible fields configured in the layout settings. The button is unavailable for log streams without layout settings configured. If the log content is CONFIG_FILE and layout settings are not configured, the default invisible fields include appName, clusterId, clusterName, containerName, hostIPv6, NameSpace, podName, and serviceID.