<p class="shortdesc">This article describes log query syntaxes and examples to help you query logs quickly.</p> <p class="p"><strong class="ph b">Query Syntax</strong></p> <p class="p">The query syntaxes of Ping An Cloud Log Service follow these rules: </p> <div class="note important note_important"><span class="note__title">Important:</span> <ul class="ul" id="Search_Syntax__ul_lcn_4vl_wnb"> <li class="li">Operators are capitalized.</li> <li class="li">Query keywords on both sides of an operator are case sensitive.</li> <li class="li">The query statement in parentheses (( )) has the highest priority. Other query statements are executed from left to right.</li> </ul> </div> <table class="table" id="Search_Syntax__table_jt4_pd1_xmb"><caption></caption><colgroup><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="Search_Syntax__table_jt4_pd1_xmb__entry__1">Operator</th> <th class="entry" id="Search_Syntax__table_jt4_pd1_xmb__entry__2">Description</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">OR</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Union of the query criteria. Format: query1 OR query2.</p> <div class="note important note_important"><span class="note__title">Important:</span> The default operator between keywords is OR.</div> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">AND</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Intersection of the query criteria. Format: query1 AND query2.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">NOT</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Matches query1 but not query2. Format: query1 NOT query2.</p> <div class="note important note_important"><span class="note__title">Important:</span> To search for the logs that does not match query1, use NOT query1.</div> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">(,)</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Combines multiple keywords into one keyword to prioritize these keywords.</p> <p class="p"> For example, (source:HOST1 OR source:HOST2) AND "hello world".</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">:</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "><p class="p">Used for key-value-based query. If there are spaces, caesura signs (、), colons (:), underscores (_), hyphens (-), or other reserved characters in the key or value, enclose the whole key or value in quotation marks ("").</p><p class="p">For example, (appname:<em class="ph i">project-name</em>,source:<em class="ph i">source-name</em>), </p> file: "/tmp/log/hello world.txt".</td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">""</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Converts syntax keywords to common query keywords.</p> <p class="p">All terms enclosed in quotation marks ("") are common keywords rather than syntax keywords. In a key-value query, all terms in quotation marks ("") is a complete keyword.</p> <p class="p">For example,</p> <ul class="ul" id="Search_Syntax__ul_wvt_yvl_wnb"> <li class="li">Use appname:abs to query the logs whose appname field is abs.</li> <li class="li">Use "appname:abs" to query the logs whose message field is appname: abs.</li> </ul> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">\</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Escape character. An escaped character represents the character itself instead of an operator.</p> <p class="p">For example, \: represents a colon (:), not an operator.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">></p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Queries the logs with the matching keyword whose value is greater than a specific number when the content to be queried is of the double or long type.</p> <p class="p"> For example, when you query Nginx logs, you can use request_time>100.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">>=</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Queries the logs with the matching keyword whose value is greater than or equal to a specific number when the content to be queried is of the double or long type.</p> <p class="p">For example, use request_time>=100 to query Nginx logs.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">==</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Queries the logs with the matching keyword whose value is equal to a specific number when the content to be queried is of the double or long type.</p> <p class="p"> For example, use request_time==100 to query Nginx logs.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">< </p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Queries the logs with the matching keyword whose value less than a specific number when the content to be queried is of the double or long type.</p> <p class="p"> For example, use request_time<100 to query Nginx logs.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p"><=</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Queries the logs with the matching keyword whose value is less than or equal to a specific number when the content to be queried is of the double or long type.</p> <p class="p"> For example, use request_time<=100 to query Nginx logs.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">?</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Fuzzy query operator that replaces one character in the middle or at the end of a keyword.</p> <p class="p"> For example, if you use he?lo as the query criterion, all the logs that start with he, end with lo, and contain a character in between are returned.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">*</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">Fuzzy query operator that replaces zero or more characters in the middle or at the end of a keyword.</p> <p class="p"> For example, if you use que* as the query criterion, all the logs containing que are returned.</p> </td> </tr> </tbody></table> <p class="p"><strong class="ph b">Examples</strong></p> <table class="table" id="Search_Syntax__table_ot4_pd1_xmb"><caption></caption><colgroup><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="Search_Syntax__table_ot4_pd1_xmb__entry__1">Query statement</th> <th class="entry" id="Search_Syntax__table_ot4_pd1_xmb__entry__2">Query result</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a OR b</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a or b.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a AND b</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a and b.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a NOT b</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a but do not contain b.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">NOT a</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that do not contain a.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a AND b NOT c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a and b but do not contain c.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">(a OR b) AND c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a or b and contain c.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">(a OR b) NOT c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a or b but do not contain c.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a AND b OR c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain a and b and might contain c.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">message: hello OR message: world</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs whose message field contains hello or world.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">\"</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain the quotation mark (").</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">/[a-z_0-9]*test[a-z_0-9]*/</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that start and end with any lowercase letter or digit, and contain test.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">"CPU phone"</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs that contain CPU phone.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">appname:logcloud_test*</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs whose appname field starts with logcloud_test.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">appname:logcloud_test??</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs whose appname field starts with logcloud_test and two characters after it.</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">appname:/[a-z_0-9]*test[a-z_0-9]*/</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">Logs whose appname field starts and ends with any lowercase letter or digit, and contains test.</p> </td> </tr> </tbody></table>