在日誌分析中選擇即時查詢,選擇阿里雲 SLS 數據源,選擇指定項目和日誌庫,就可以查詢日誌了。
表格圖
根據舉例的查詢條件語句*|SELECT status, count(*) as pv GROUP BY status。將查詢統計 status 欄位,並將統計計算結果命名為 pv ,將結果 pv 以 status 透過表格分組展示。
語句簡析 | select …: |管道符左側為檢索條件,select …語句檢索 SQL status: 將 status 欄位結果展示 count() AS pv: 將 status 統計 pv 命名。 GROUP BY status: 將 status 結果分組展示。
可參考 語法規則學習瞭解
時序圖
將騰訊雲 CLS 日誌查詢結果提取 value 值進行展示,並將篩選條件以 tag 的方式展示在指標欄位;以下為部分查詢語句供學習參考。
常用查詢語句語法
- 查詢 GET 請求且狀態碼大於400的日誌:
method:GET AND status>400 - 查詢 level 為 ERROR 或 WARNING 的日誌:
level:(ERROR OR WARNING) - 查詢非 INFO 級別的日誌:
NOT level:INFO - 查詢不存在 remote_user 欄位的日誌:
not remote_user:* - 查詢存在 remote_user 欄位的日誌:
remote_user:* - 查詢 host 欄位值不為 123 的日誌:
not host:123.*
場景一:按分鐘統計 GET 請求且狀態碼大於400的日誌
method:GET AND status:>400 | select histogram(__TIMESTAMP__, interval 1 minute) as analytic_time_minute, count(*) as errorCount group by analytic_time_minute limit 1000
場景二:查詢 request_method 欄位值為 GE 開頭,且 client_ip 欄位值為 116.178.232.,並以 host, method, request_uri 欄位分組統計*
method:GE* and remote_addr:116.178.232.* | SELECT http_host AS host, method AS method, request_uri AS url, count(*) AS count GROUP BY host, method, url
場景三:查詢成功請求且請求耗時小於1秒,並包含 flashcat 的日誌,並以 host, method, request_uri, status, request_uri 欄位分組統計
flashcat AND read_request_time < 1 AND (status >= 200 AND status <= 299) | SELECT host AS host, request_method AS method, request_uri AS url, status as st, read_request_time as rqt, count(*) AS COUNT GROUP BY host, method, url, st, rqt
CLS 日誌告警
在告警規則選擇 日誌數據源,配置查詢語句和提取數值 ValueKey ,並在簡單模式設置時間範圍內 ValueKey 閾值,進行規則觸發。
配置場景1:統計代理日誌狀態碼為 200 和 301 的日誌數量,查詢結果大於10且小於15 則觸發告警。
查詢語句如上所述: status:403 OR status:402 | SELECT status AS status, count(*) AS count GROUP BY status ,此處為查詢數值結果用於條件判斷,因此判斷條件使用 $A > 10 和 $A < 15
場景二:查詢 request_method 欄位值為 GE 開頭,且 client_ip 欄位值為 116.178.232.,並以 host, method, request_uri 欄位分組統計*
method:GE* and remote_addr:116.178.232.* | SELECT http_host AS host, method AS method, request_uri AS url, count(*) AS count GROUP BY host, method, url
場景三:查詢成功請求且請求耗時小於1秒,並包含 flashcat 的日誌,並以 host, method, request_uri, status, request_uri 欄位分組統計
flashcat AND read_request_time < 1 AND (status >= 200 AND status <= 299) | SELECT host AS host, request_method AS method, request_uri AS url, status as st, read_request_time as rqt, count(*) AS COUNT GROUP BY host, method, url, st, rqt
