Updated on 2024-11-18 GMT+08:00

Overview

Structured Query Language (SQL) is a programming language used to control database access and manage data in databases. LTS SQL provides statements for querying structured data in log streams. In this document, SQL refers to LTS SQL.

SQL consists of commands and functions that are used to manage databases and database objects. When using this language, comply with the rules for using expressions and texts. In addition to SQL syntax reference, this document also provides information about expressions, functions, and operators. Basic SQL query statements are as follows.

Currently, this function is available to all users in regions CN South-Guangzhou, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN-Hong Kong, CN Southwest-Guiyang1, AP-Singapore, CN North-Beijing1, and AP-Bangkok. It is also available to whitelisted users in regions CN South-Shenzhen, ME-Riyadh, and AP-Jakarta.

Syntax

SELECT [ ALL | DISTINCT ] { * | exprs } 
FROM { <subquery>} 
[ WHERE where_condition ] 
[ GROUP BY [ col_name_list ] 
[ HAVING expr ] 
[ ORDER BY expr [ ASC | DESC ], expr [ ASC | DESC ], ... ] 
[ LIMIT limit ] 
[ OFFSET offset ]

Query Statements

Table 1 SQL query statements

Statement

Description

Example

DISTINCT

Only distinct values are returned.

SELECT DISTINCT visitCount

FROM

Indicates the source data set of the queried data. It can be the structured data of the current log stream or a subset of this data.

If FROM is not specified, the structured data of the current log stream is queried by default. If the data source to be queried is a subset, you need to compile a subquery statement.

SELECT visitCount

WHERE

Specifies the filter criteria. Arithmetic operators, relational operators, and logical operators are supported. You can enter the filtering condition in where_condition.

SELECT visitCount

WHERE visitCount > 0

GROUP BY

Specifies the grouping field. Single-field grouping and multi-field grouping are supported. You can enter the structured field list in col_name_list.

SELECT host, count(*) AS pv

WHERE visitCount > 0

GROUP BY host

HAVING

Used only with GROUP BY. This statement specifies the structured field used to filter the GROUP BY results.

SELECT host, count(*) AS pv

GROUP BY host

HAVING pv > 10

ORDER BY

Fields that follow must be used for GROUP BY. The query results of GROUP BY can be sorted by any structured field.

SELECT host, count(*) AS pv

GROUP BY host

ORDER BY pv

ASC/DESC

ASC (default) sorts from the lowest value to the highest value. DESC sorts from the highest value to the lowest value.

SELECT host, count(*) AS pv

GROUP BY host

ORDER BY pv DESC

LIMIT

Limits the number of structured logs returned in the query result. A maximum of 100,000 structured logs can be returned for each query.

NOTE:

If the LIMIT statement is not used, the latest 100 records in the query result are returned by default.

SELECT host

LIMIT 100

Examples

Table 2 Examples of common SQL query statements

Query Requirement

Query Statement

Standard query

SELECT "field" WHERE "field" = 'value'

Number of rows

SELECT count(*)

Column alias

SELECT count(*) AS "pv"

Deduplication

SELECT DISTINCT("field")

Pagination

SELECT "field" LIMIT 100

Sorting

SELECT "__time" ORDER BY "__time"

Grouping

SELECT "field" GROUP BY "field"

Statistics by group

SELECT "field",count(*) GROUP BY "field"

Fuzzy search

SELECT "field" LIKE 'value%'

Sum

SELECT sum("field")

Maximum value

SELECT max("field")

Minimum value

SELECT min("field")

Average value

SELECT avg("field")

SQL nested subquery

SELECT sum(pv) FROM (SELECT "field",count(*) AS "pv" GROUP BY "field")

HAVING clause filtering

SELECT "field",count(*) AS "pv" GROUP BY "field" HAVING "pv" > 10

Query containing GET and POST requests

SELECT * WHERE "request_method" IN ('GET', 'POST')

Query without GET and POST requests

SELECT * WHERE "request_method" NOT IN ('GET', 'POST')

Logs of non-GET requests

SELECT * WHERE "request_method" != 'GET'

Logs of successful GET request with the 200 status code and request time is less than 60 seconds

SELECT * WHERE "request_method" = 'GET' AND "request_time" < 60

Logs of requests whose time is greater than or equal to 60 seconds and less than 200 seconds

SELECT * WHERE "request_ time" >=60 and "request_time" < 200

Logof GET or POST requests

SELECT * WHERE "request_method" = 'GET' OR "request_method" = 'POST'

The following reference statements contain all basic query syntax and are constructed based on structured logs of Elastic Load Balance (ELB).

SELECT url AS Url, host AS Host, failure_rate AS FailureRate,
CONCAT(CAST(access_count AS varchar), ' times') AS "All",
CONCAT(CAST(rsp_200_count AS varchar), ' times') AS "COUNT_200"
FROM ( SELECT
CONCAT(host, CASE WHEN STRPOS(router_request_uri, '?') = 0 THEN router_request_uri ELSE SUBSTR(router_request_uri, 1, 1) END) AS url,
host,count(1) AS access_count,
SUM(CASE WHEN status = 200 THEN 1 ELSE 0 END) AS "rsp_200_count",
(CASE WHEN COUNT(1) < 30 THEN 0 ELSE round(SUM(CASE WHEN status >= 400 THEN 1 ELSE 0 END) * 100.0 / COUNT(1), 2) END) AS failure_rate
WHERE host NOT IN ('monitor-new.olayc.cn')
GROUP BY host,router_request_uri
HAVING router_request_uri NOT IN ('/robots.txt', '/null', '/undefined')
)
ORDER BY FailureRate DESC
LIMIT 100