All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Query syntax

Last updated:2020-12-28 14:56:14

Query types

To query logs, you must select a LogPool and a time range and enter a query statement. KLog supports full-text queries, key-value queries, and fuzzy queries.

Full-text query

KLog segments each log to multiple phrases by using the specified delimiters so that you can query logs based on keywords. KLog supports the following types of full-text queries:

  • Basic full-text query: Enter keywords or specify fields and keywords. Data that matches the keywords is returned. For example, the method:GET and status=200 statement returns the logs where the GET method is used and the status code is 200.
  • Phrase query: A phrase is a string that is enclosed in double quotation marks (""). Substrings in a phrase are separated with operators or space characters. Each substring is a keyword. For example, the msg:"not available" statement returns the logs where the msg field contains the not and available keywords. This statement is equivalent to msg:service and msg:"not" and msg:available.
  • Fuzzy query: You can add a fuzzy query keyword that contains or ends with an asterisk (*) or a question mark (?). The fuzzy query keyword cannot start with an asterisk (*) or a question mark (?). For example, the http_user:andr? statement returns the logs where the http_user field contains a word that starts with addr.

Key-value query

You can specify field names and field content to query logs. For fields of the double or long type, you can specify a range to query logs. For example, the count>5000 and Status:200 statement returns the logs where the value of the count field is greater than 5000 and the value of the Status field is 200.

Operators

Syntax Description
key:value Queries the logs where the field specified by key contains the specified value. The field must be added to the field index before you can query logs based on the field. By default, all fields are added to the field index. The value can contain an asterisk (*) or a question mark (?).
A and B Queries the logs that contain A and B. If multiple words are not separated with syntax keywords, these words are in the AND relationship by default.
A OR B Queries the logs that contain A or B.
exists Queries the logs that contain the specified field.
missing Queries the logs that do not contain the specified field.
? Represents a single character.
* Represents zero or more characters.
TO Specifies a range. Examples: status:[400 TO 499] and status:[400 TO 499}. In status:[400 TO 499}, the right brace (}) indicates that the value 499 is not included.
> Queries the logs where the value of a field is greater than a specific number.
>= Queries the logs where the value of a field is greater than or equal to a specific number.
< Queries the logs where the value of a field is less than a specific number.
<= Queries the logs where the value of a field is less than or equal to a specific number.
= Queries the logs where the value of a field is equal to a specific number.
On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback