Облачная платформаAdvanced

Searching for Logs

Эта статья полезна?

Язык статьи: Английский

After configuring log structuring parsing and indexing, you can enter statements to search for log events that contain specific keywords. You can also search for log data by time range to locate events and issues that occur in a specified period.

Search statements are used to define the filter criteria for log query and obtain the logs that meet the criteria. A search statement may be a keyword, a value, a value range, a space, an asterisk (*), or the like. If it is a space or asterisk (*), no filtering criteria is specified. For more information, see Using Search Syntax.

Searching for Logs

Log in to the management console and choose Management & Deployment > Log Tank Service.
On the Log Management page, click the target log group or stream to access the log details page.
On the Log Search tab page, select a time range from the drop-down list and click Search to view log data accordingly.
There are three types of time range: relative time from now, relative time from last, and specified time. Select a time range as required.
- From now: queries log data generated in a time range that ends with the current time, such as the previous 1, 5, or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from now, the charts on the dashboard display the log data that is generated from 18:20:31 to 19:20:31.
- From last: queries log data generated in a time range that ends with the current time, such as the previous 1 or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from last, the charts on the dashboard display the log data that is generated from 18:00:00 to 19:00:00.
- Specified: queries log data that is generated in a specified time range.
Enter search criteria in the search box by referring to Using Search Syntax to view, search, and filter log data.
1. In the search area, click the search box, enter a keyword or select a field or keyword from the drop-down list, and click Search.
  - The structured fields are displayed in key:value format.
2. In the search area, press the up and down arrows on the keyboard to select a keyword or search syntax from the drop-down list, press Tab to select a keyword or syntax, and click Search.
3. Click a field for which quick analysis has been enabled to add it to the search box. For details about how to enable quick analysis, see Creating a Quick Analysis Task.
  If the field you click already exists in the search box, it will be replaced by this newly added one. If the field is added for the first time, fields in the search box are searched using the AND operator.
On the Log Search tab page, perform the following operations. For more operations, see Common Log Search Operations.
1. Under Log Statistics, view the bar chart showing the log quantity in different time segments. The scale of the log quantity is displayed on the left.
2. In the log content area, hover the cursor over a field and click the log content in blue. You can search for logs by copying, adding to query, and excluding from query.
3. In the log content area, you can select a list or raw log to display its log content.
  The log highlighting mechanism works as follows: Once a log meets the search criteria, the system identifies the log's strings that match these criteria and applies highlight tags to the matching sections, making them visibly highlighted on the page. However, when the query criteria are complex, particularly involving OR relationships, content that does not actually match the criteria may also be highlighted on the page.
Set the layout of log data, including whether to display fields or display fields in a simple view.
1. Select Edit layouts from the layout drop-down list to access the layout setting page. The list also contains options such as the default layout, pure layout, and default container log layout, for you to set whether to display fields.
  - Cloud: This mode is applicable to users who have the write permission. Layout information is stored on the cloud.
  - Local Cache: This mode is applicable to users who have only the read permission. Layout information is cached in the local browser.
2. On the displayed Layout page, click + under Layout List to create a custom layout, name it, and configure how fields are displayed in this layout.
  You can perform the following operations on a new layout:
  - Edit: Click to edit the layout's display name.
  - Delete: Click and then Yes to delete the layout.
    
    Deleted layouts cannot be restored. Exercise caution when performing this operation.
3. After the setting is complete, click OK. The new custom layout is displayed in the drop-down list.

Common Log Search Operations

In the log content display area, you can share and download logs, and view context. For details, see Table 1.

Table 1 Common operations
Operation	Description
Interactive search	Click Interactive Mode in front of the search box. In the displayed Interactive Search dialog box, select fields for index configuration, set the filtering mode, and add associations and groups. After the setting is complete, you can preview the search syntax.
Creating a quick search	Click to create a quick search.
Sharing logs	Click to copy the link of the current log search page to share the logs that you have searched.
Refreshing logs	You can click to refresh logs in two modes: manual refresh and automatic refresh. Manual refresh: Select Refresh Now from the drop-down list. Automatic refresh: Select an interval from the drop-down list to automatically refresh logs. The interval can be 15 seconds, 30 seconds, 1 minute, or 5 minutes.
Copying logs	Click to copy the log content.
Viewing context of a log	Click to view the log context. You can select Simple View to view the log context. You can also download the context.
More operations	Click to access the log details page of the time segment and view more log information. On the Extended Fields tab page, view field names and values. You can also click buttons in the Operation column to add a field to or exclude a field from a query, set whether a field exists or does not exist, or set whether a field is hidden. On the JSON Format tab page, view the JSON format of logs. On the Context Logs tab page, you can set the number of lines to be queried and filtered fields. You can also download logs and enable the summary mode.
Unfold/Fold	Click to display all the log content. This unfold button is enabled by default. Click to fold the log content.
Downloading logs	Click . On the displayed Download Logs page, click Direct Download. Direct Download: Download log files to the local PC. Up to 5,000 logs can be downloaded at a time. Select .csv or .txt from the drop-down list and click Download to export logs to the local PC. NOTE: If you select Export .csv, logs are exported as a table. If you select Export .txt, logs are exported as a .txt file.
Hiding/Expanding all	Click to set the number of lines displayed in the log content. Click to hide the log content.
JSON	Move the cursor over , click JSON, and set JSON formatting. Formatting is enabled by default. The default number of expanded levels is 2. Formatting enabled: Set the default number of expanded levels. Maximum value: 10. Formatting disabled: JSON logs will not be formatted for display.
Collapse configuration	Move the cursor over , click Log Collapse, and set the maximum characters to display in a log. If the number of characters in a log exceeds the maximum, the extra characters will be hidden. Click Expand to view all. Logs are collapsed by default, with a default character limit of 400.
Log time display	Move the cursor over and click Log Time Display. On the page that is displayed, set whether to display milliseconds and whether to display the time zone. Milliseconds are displayed by default.
Virtual Scrolling	Move the cursor over and click Virtual Scrolling. On the page that is displayed, set whether to enable virtual scrolling and enter the buffer size. Virtual scrolling eliminates or minimizes frame and page freezing for better user experience. Data is re-rendered during the process. This may affect smoothness. The buffer size determines the amount of data that can be loaded simultaneously. The larger the buffer, the more data loaded simultaneously, but the worse the scrolling performance.
Invisible fields ()	This list displays the invisible fields configured in the layout settings. The button is unavailable for log streams without layout settings configured. If the log content is CONFIG_FILE and layout settings are not configured, the default invisible fields include appName, clusterId, clusterName, containerName, hostIPv6, NameSpace, podName, and serviceID.

Parent topic: Log Search and View

Поддержка Юридические документы