查询语法

<p class="shortdesc">本文主要介绍查询日志的语法及举例,以便您快速使用查询语法快速查找日志。</p> <p class="p"><strong class="ph b">查询语法</strong></p> <p class="p">平安云日志服务支持如下查询语法:</p> <div class="note important note_important"><span class="note__title">重要:</span> <ol class="ol" id="Search_Syntax__ol_it4_pd1_xmb"> <li class="li">运算符必须大写。</li> <li class="li">运算符两侧的查询关键词区分大小写。</li> <li class="li">( )内的查询语句优先级最高,其次查询语句按照从左到右的顺序执行。</li> </ol> </div> <table class="table" id="Search_Syntax__table_jt4_pd1_xmb"><caption></caption><colgroup><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="Search_Syntax__table_jt4_pd1_xmb__entry__1">参数</th> <th class="entry" id="Search_Syntax__table_jt4_pd1_xmb__entry__2">说明</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">OR</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">查询条件的并集,格式为:query1 OR query2。</p> <div class="note important note_important"><span class="note__title">重要:</span> 如果多个关键词之间没有语法关键词,默认多个关键词是OR 的关系。</div> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">AND</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">查询条件的交集,格式为:query1 AND query2。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">NOT</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">符合query1,但不符合query2,格式为:query1 NOT query2。</p> <div class="note important note_important"><span class="note__title">重要:</span> 如果只有NOT query1,表示从全部日志中搜索不符合query1的日志。</div> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">(,)</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">将括号内多个关键词,合并成一个关键词,主要用于提升括号内多个关键词的优先级。</p> <p class="p">例如:(source:HOST1 OR source:HOST2)AND “hello world”</p> <div class="note important note_important"><span class="note__title">重要:</span> ( , )均为英文括号和逗号。</div> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">:</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">用于键值对(key-value)查询。如果 key 或者 value 内有空格 、 : _ -等保留字符时,需要用双引号""把整个 key 或者 value 包括起来。</p> <p class="p">例如:(appname:<em class="ph i">project-name</em>,source:<em class="ph i">source-name</em>)</p> <p class="p">或 file:“/tmp/log/hello world.txt”。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">""</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">把语法关键词转换为普通查询关键词,英文格式。</p> <p class="p">双引号内部的任何一个 term 都会被查询,而不会当成语法关键词。或者在 key-value 查询中把左右引号内的所有 term 当成一个整体。</p> <p class="p">例如:</p> <ul class="ul" id="Search_Syntax__ul_nt4_pd1_xmb"> <li class="li">appname:abs表示搜索appname字段的值是abs的日志。</li> <li class="li">“appname:abs” 表明搜索message字段的值是appname:abs的日志。</li> </ul> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">\</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">转义符。转义后的云算符表示符号本身,而非运算符。</p> <p class="p">例如:\: 表示冒号,而非运算符。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">></p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">待查询内容为double或long类型时,查询关键词大于某个数值的日志。</p> <p class="p">例如:查询Nginx日志时,request_time>100。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">>=</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">待查询内容为double或long类型时,查询关键词大于等于某个数值的日志。</p> <p class="p">例如:查询Nginx日志时,request_time>=100。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">==</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">待查询内容为double或long类型时,查询关键词等于某个数值的日志。</p> <p class="p">例如:查询Nginx日志时,request_time==100。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">< </p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">待查询内容为double或long类型时,查询关键词小于某个数值的日志。</p> <p class="p">例如:查询Nginx日志时,request_time<100。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p"><=</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">待查询内容为double或long类型时,查询关键词小于等于某个数值的日志。</p> <p class="p">例如:查询Nginx日志时,request_time<=100。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">?</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">模糊查询关键词,可放在关键词的中间或结尾,用于替代一个字符。</p> <p class="p">例如:he?lo,会返回以he开头,以lo结尾,并且中间还有一个字符的所有日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__1 "> <p class="p">*</p> </td> <td class="entry" headers="Search_Syntax__table_jt4_pd1_xmb__entry__2 "> <p class="p">模糊查询关键词,可放在关键词的中间或结尾,用于替代 0 个或多个字符。</p> <p class="p">例如:que*,会返回包含que 的所有日志。</p> </td> </tr> </tbody></table> <p class="p"><strong class="ph b">查询语法举例</strong></p> <table class="table" id="Search_Syntax__table_ot4_pd1_xmb"><caption></caption><colgroup><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="Search_Syntax__table_ot4_pd1_xmb__entry__1">参数</th> <th class="entry" id="Search_Syntax__table_ot4_pd1_xmb__entry__2">说明</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a OR b</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a或者包含b的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a AND b</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a和包含b的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a NOT b</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a但是不包含b的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">NOT a</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询不包含a的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a AND b NOT c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a且包含b,但不包括c的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">(a OR b) AND c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a或者包含b,且一定包含c的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">(a OR b) OR c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a或者包含b,但不包括c的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">a AND b OR c</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含a且包含b,可能包含c的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">message: hello OR message: world</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询message字段包含 hello 或者message字段包含world 的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">\"</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包括引号的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">/[a-z_0-9]*test[a-z_0-9]*/</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询以任意位小写字母或数字开头,包含test,以任意位小写字母或数据字结尾的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">"CPU phone"</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询包含CPU phone的日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">appname:logcloud_test*</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询appname以logcloud_test开始的所有日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">appname:logcloud_test??</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询appname以logcloud_test开始且后面有两个字符的所有日志。</p> </td> </tr> <tr class="row"> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__1 "> <p class="p">appname:/[a-z_0-9]*test[a-z_0-9]*/</p> </td> <td class="entry" headers="Search_Syntax__table_ot4_pd1_xmb__entry__2 "> <p class="p">查询appname以任意位小写字母数字开头包含test并且以任意位小写字母和数字结尾的所有日志。</p> </td> </tr> </tbody></table>
以上内容是否解决了您的问题?
请补全提交信息!
咨询·建议

电话咨询

400-151-8800

邮件咨询

cloud@pingan.com

在线客服

工单支持

解决云产品相关技术问题