Search Syntax
Last Updated:2020-09-01
Search Method
After configuring the index for the field, you can specify the field name and field content for query.
Supported Query Types
- General query: Specify the field and keyword, and the log containing the keyword in the specified field will be returned as the result. For example, method: GET and status=200 means to query logs whose method is GET and status is equal to 200.
- Phrase query: If the keyword to be queried contains search syntax operators or spaces, you can wrap the keyword in double quotation marks (""), which means that the content in double quotation marks will be used as multiple keywords to query. For example, msg:"service not avaliable" means that msg queries logs containing the keywords of service, not and avaliable, which is equivalent to query msg:service and msg:"not" and msg:avaliable.
-
Fuzzy query : Add fuzzy query keywords in the middle or at the end of the keywords, namely * and ?, Log Service will query all logs that meet the conditions for you. For example, http_user_agent:andr? means to find logs in which the http_user_agent field contains words starting with andr in all logs.
Restrictions:
- The prefix must be specified when querying, namely * and ? cannot appear at the beginning of a word.
- The more precise the specified word, the more precise the query result.
The Query Type Corresponding to the Field
- For fields of text type, ordinary query, phrase query, and fuzzy query can be performed.
- For fields of type float and long, you can specify a numerical range for query.
For example, the query statement is method:GET and status >= 500, which means to query logs whose method field value is GET, and the status field value is greater than or equal to 500.
Operator
| Operator | Description |
|---|---|
| and | Binocular operator. The format is query1 and query2, which means the intersection of query1 and query2 query results. If there are no grammatical keywords between multiple words, the default is and relationship. |
| or | Binocular operator. The format is query1 or query2, which represents the union of query1 and query2 query results. |
| not | Binocular operator. The format is query1 not query2, then it means the result of complying with query1 but not query2, that is, query1-query2. If query1 is omitted, there is only not query2 , which means that the results that do not contain query2 are selected from all logs. |
| (,) | The parentheses are used to combine one or more sub-queries into one query condition, and are used to increase the priority of the query conditions in the parentheses. |
| : | Used for querying key-value pairs. key:term forms a key-value pair. Indicates that the term query is executed on the index of key. If there are reserved characters such as spaces () and colons (:) in the key or value, you need to wrap the entire key or value with double quotes "". Any term inside the left and right quotation marks will be queried and will not be treated as a grammatical keyword. |
| * | Fuzzy query keywords, used to replace 0 or more characters, for example: andr*, will return all the hit words starting with andr. |
| ? | ? |
| " | The escape symbol means to convert a keyword into a common query character. Any term inside the left and right quotation marks will be queried and will not be treated as a grammatical keyword. Fuzzy query keywords in quotation marks (*,?)Will be treated as character constants. |
| \ | Escapes. Used to escape quotation marks. The quotation mark after the escape represents the symbol itself and will not be treated as an escape character, such as "\"". |
| > | Query logs that are greater than a certain value under a certain field, for example status> 500. |
| >= | Query logs that are greater than or equal to a certain value under a certain field, for example status >= 500. |
| < | Query logs that are less than a certain value under a certain field, for example, status <400. |
| <= | Query logs that are less than or equal to a certain value under a certain field, for example status <= 400. |
| = | Query the log that is equal to a certain value under a certain field, for example status = 404. |
| in | To query the log of a certain field in a certain range, use square brackets to indicate a closed interval, use small brackets to indicate an open interval, use two numbers in the middle of the brackets, and a number of spaces between the numbers. E.g. status in [500 600] or status in [200 400). |
| | | The pipeline operator is used to separate the search syntax and SQL syntax, which means that more calculations are performed on the basis of the search, such as query1 | select count(*). |