查询示例

本页面为您提供一些查询示例,以便您更轻松地查找重要日志。所有列出的查询都可以在日志查看器(包括经典版和预览版)、Logging API命令行界面中应用,但本页面重点介绍如何在日志查看器中使用查询。

高级日志查询是一个布尔表达式,用于指定项目中的部分日志条目。您可以使用这些查询选择特定日志或日志服务中的日志条目,或选择满足元数据或用户定义字段相关条件的日志条目。如需详细了解高级查询,请参阅高级日志查询

开始使用高级查询

本页面上显示的查询应该在日志查看器的高级查询界面中使用。

如需转到日志查看器中的高级查询界面,请执行以下操作:

  1. 转到 Cloud Console 中的Google Cloud 的运维套件 Logging > 日志(日志查看器)页面:

    转到“日志查看器”页面

  2. 选择 Google Cloud 项目。

  3. 点击搜索查询框最右侧的下拉箭头 (▾),然后选择转换为高级过滤条件

    转换为高级日志查询

    您将看到高级日志查询界面。日志查询在界面中被标记为“过滤条件”,因为借助它们可以选择一组特定的日志条目。

使用查询

若要应用下表中的查询,请通过点击任何表达式行末尾的剪贴板图标 来复制表达式,然后将复制的表达式粘贴到高级查询界面的搜索查询框中:

高级查询搜索框

与查询匹配的日志列在搜索查询框下方。

下面列出的一些查询包括您应该用有效值替换的变量(用方括号 [] 表示)。如果查询包含 logName,您提供的 [PROJECT_ID] 必须引用当前选中的 Google Cloud 项目;否则,该查询将不起作用。如需了解详情,请转到问题排查

如果您要编写包含时间戳的查询,则必须从搜索查询框下方的时间范围选择器中选择无限制

以下部分按 Google Cloud 服务对查询进行分组。

App Engine 查询

过滤条件名称 表达式
新年前夜(按世界协调时间)的 App Engine 日志

resource.type="gae_app" AND
severity>=ERROR AND
timestamp>="2018-12-31T00:00:00Z" AND timestamp<="2019-01-01T00:00:00Z" 
具有服务器错误的 App Engine 请求日志

resource.type="gae_app" AND
log_name="projects/[PROJECT_ID]/logs/appengine.googleapis.com%2Frequest_log" AND
http_request.status>=500 
采样 HTTP 错误日志

resource.type="gae_app" AND
proto_payload.status >= 400 AND
sample(insertId, 0.1) 
搜索 App Engine 跟踪 ID

resource.type="gae_app" AND
trace="projects/[PROJECT_ID]/traces/[TRACE_ID]" 

BigQuery 查询

过滤条件名称 表达式
BigQuery 审核日志

resource.type="bigquery_resource" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com" 
BigQuery 数据传输服务作业

resource.type="bigquery_resource" AND
proto_payload.request_metadata.caller_supplied_user_agent="BigQuery Data Transfer Service" AND
proto_payload.method_name="jobservice.insert" 
BigQuery 数据集更新

resource.type="bigquery_resource" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name="datasetservice.update" 
BigQuery 作业已完成

resource.type="bigquery_resource" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access" AND
proto_payload.method_name="jobservice.jobcompleted" 
BigQuery 大型查询

resource.type="bigquery_resource" AND
proto_payload.method_name="jobservice.jobcompleted" AND
proto_payload.service_data.job_completed_event.job.job_statistics.total_billed_bytes>1073741824 
已超出 BigQuery 配额

resource.type="bigquery_resource" AND
proto_payload.status.code=8 AND
severity>=WARNING 
已开始 BigQuery 查询

resource.type="bigquery_resource" AND
proto_payload.method_name="jobservice.insert" 

Dataflow 查询

过滤条件名称 表达式
Dataflow 工作器中的错误和警告

resource.type="dataflow_step" AND
log_name="projects/[PROJECT_ID]/logs/dataflow.googleapis.com%2Fworker" AND
severity>=WARNING 

Dataproc 查询

过滤条件名称 表达式
Dataproc Apache Hadoop 日志

resource.type="cloud_dataproc_cluster" AND
json_payload.class:"org.apache.hadoop.mapreduce" 

Cloud Deployment Manager

过滤条件名称 表达式
Deployment Manager 错误

resource.type="deployment" AND
severity>=ERROR 

Cloud Functions 查询

过滤条件名称 表达式
Cloud Functions 函数错误

resource.type="cloud_function" AND
log_name="projects/[PROJECT_ID]/logs/cloudfunctions.googleapis.com%2Fcloud-functions" AND
severity>=ERROR 

Cloud Identity and Access Management 查询

过滤条件名称 表达式
服务帐号创建日志

resource.type="service_account" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name="google.iam.admin.v1.CreateServiceAccount" 
服务帐号创建密钥日志

resource.type="service_account" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name="google.iam.admin.v1.CreateServiceAccountKey" 
设置访问控制政策日志

resource.type="project" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name="SetIamPolicy" 
已获得组织访问权限的外部成员

resource.type="project" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND
proto_payload.request.@type:"IamPolicy" AND
proto_payload.service_data.policy_delta.binding_deltas.member:* AND
NOT proto_payload.service_data.policy_delta.binding_deltas.member:"@[DOMAIN_NAME].com" 

Cloud Source Repositories 查询

过滤条件名称 表达式
Cloud Source Repository 日志

resource.type="csr_repository" AND
resource.labels.name="[REPOSITORY_NAME]"

Cloud Spanner 查询

过滤条件名称 表达式
特定 Spanner 实例的 Cloud Spanner 日志

resource.type="spanner_instance" AND
resource.labels.instance_id="[SPANNER_INSTANCE]"

Cloud SQL 查询

过滤条件名称 表达式
Cloud SQL 审核日志

resource.type="cloudsql_database" AND
resource.labels.database_id="[DATABASE_ID]" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
Cloud SQL MySQL 错误日志

resource.type="cloudsql_database" AND
log_name="projects/[PROJECT_ID]/logs/cloudsql.googleapis.com%2Fmysql.err"
基于 Cloud SQL MySQL 的数据库

resource.type="cloudsql_database" AND
resource.labels.database_id="[DATABASE_ID]" AND
log_name="projects/[PROJECT_ID]/logs/cloudsql.googleapis.com%2Fmysql"
基于 Cloud SQL Postgres 的数据库

resource.type="cloudsql_database" AND
resource.labels.database_id="[DATABASE_ID]" AND
log_name="projects/[PROJECT_ID]/logs/cloudsql.googleapis.com%2Fpostgres.log"

Compute Engine 查询

过滤条件名称 表达式
Google Compute Engine 管理员活动日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
Google Compute Engine 防火墙规则删除

resource.type="gce_firewall_rule" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name:"firewalls.delete" 
Google Compute Engine 旧版活动日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log" 
Google Compute Engine 虚拟机系统日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/syslog" 

Cloud Storage 查询

过滤条件名称 表达式
GCS 存储分区日志

resource.type="gcs_bucket" AND
resource.labels.bucket_name="[BUCKET_NAME]"
GCS 存储分区审核日志

resource.type="gcs_bucket" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com" 
GCS 存储分区创建日志

resource.type="gcs_bucket" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name="storage.buckets.create" 
GCS 存储分区删除日志

resource.type="gcs_bucket" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name="storage.buckets.delete" 

Cloud Tasks 查询

过滤条件名称 表达式
Cloud Tasks 队列日志

resource.type="cloud_tasks_queue" AND
resource.labels.queue_id="[QUEUE_ID]"

与 Kubernetes 相关的查询

如需查看管理员活动审核日志查询的示例,请访问 GKE 访问审核日志页面。

集群级层查询

过滤条件名称
表达式
Google Kubernetes Engine 集群
操作

resource.type="gke_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
Google Kubernetes Engine 集群
创建

resource.type="gke_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.method_name="google.container.v1.ClusterManager.CreateCluster"
Kubernetes 集群部署

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.method_name:"deployments"
Kubernetes 集群
身份验证失败

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.authentication_info.principal_email="system:anonymous"
Kubernetes 集群
发送到 Secret 的写入请求

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.method_name="io.k8s.core.v1.secrets" NOT
protoPayload.method_name="get" NOT
protoPayload.method_name="list" NOT
protoPayload.method_name="watch"
us-central1-b 中的
Kubernetes 集群

resource.type="k8s_cluster" AND
resource.labels.location="us-central1-b"
Kubernetes 容器
留言板日志

resource.type="k8s_container" AND
resource.labels.cluster_name="guestbook"
来自用户的 Kubernetes
pod 请求

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.method_name:"io.k8s.core.v1.pods" AND
protoPayload.authentication_info.principal_email="[USER_EMAIL]"
Kubernetes 事件

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/events"
Kubernetes 端点更新

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.request.kind="Endpoints"
Kubernetes 控制平面日志

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.serviceName="k8s.io"
Kubernetes Engine 控制平面
日志

resource.type="k8s_cluster" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.serviceName="container.googleapis.com"
Pod 删除

resource.type="k8s_cluster" AND
protoPayload.methodName=~"io.k8s.core.v1.pods.(create|delete)"
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
创建期间的查询 pod

resource.type="k8s_pod" AND
log_name="projects/[PROJECT_ID]/logs/events" AND
resource.labels.pod_name="[POD_NAME]"

节点级层查询

过滤条件名称 表达式
节点事件

resource.type="k8s_node" AND
log_name="projects/[PROJECT_ID]/logs/events"
查看 Kube-proxy 日志

resource.type="k8s_node" AND
log_name="projects/[PROJECT_ID]/logs/kube-proxy"
查看 dockerd 日志

resource.type="k8s_node" AND
log_name="projects/[PROJECT_ID]/logs/container-runtime"
查看 kubelet 错误
或故障

resource.type="k8s_node" AND
log_name="projects/[PROJECT_ID]/logs/kubelet" AND
jsonPayload.MESSAGE:("error" OR "fail")

容器查询

过滤条件名称
表达式
集群中所有 pod 和容器内的
容器错误日志

resource.type="k8s_container" AND
log_name="projects/[PROJECT_ID]/logs/stderr" AND
severity=ERROR
集群中所有 pod 和容器内的
stdout 容器日志

resource.type="k8s_container" AND
log_name="projects/[PROJECT_ID]/logs/stdout"
具有特定名称的 pod 的
容器错误日志

resource.type="k8s_container" AND
resource.labels.pod_name="[POD_NAME]" AND
severity=ERROR
特定 pod 中特定容器的
容器错误日志

resource.type="k8s_container" AND
resource.labels.pod_name="[POD_NAME]" AND
resource.labels.container_name="server" AND
severity=ERROR
特定命名空间和容器的
容器错误日志

resource.type="k8s_container" AND
resource.labels.namespace_name="istio-system" AND
resource.labels.container_name="egressgateway" AND
severity=ERROR
具有特定标签的 pod 的
容器日志

resource.type="k8s_container" AND
labels."k8s-pod/app"="loadgenerator" AND
severity=ERROR
pod 的容器日志,该 pod 具有
使用 skaffold 生成的标签

resource.type="k8s_container" AND
labels."k8s-pod/app"="loadgenerator" AND
labels."k8s-pod/skaffold_dev/run-id"=[SKAFFOLD_RUN_ID] AND
severity=ERROR
在 textPayload 中包含 POST 的
特定 pod 的容器错误日志

resource.type="k8s_container" AND
resource.labels.pod_name="[POD_NAME]" AND
textPayload:"POST" AND
severity=ERROR
在结构化 JSON 中包含 GET 的
特定 pod 的容器错误日志

resource.type="k8s_container" AND
resource.labels.pod_name="[POD_NAME]" AND
jsonPayload."http.req.method"="GET" AND
severity=ERROR
kube-system 命名空间中的
容器错误日志

resource.type="k8s_container" AND
resource.labels.namespace_name="kube-system" AND
severity=ERROR
容器数据分析日志中的
容器错误

resource.type="k8s_container" AND
log_name="projects/[PROJECT_ID]/logs/clouderrorreporting.googleapis.com%2Finsights"

Logging 代理应用查询

过滤条件名称 表达式
Apache 日志

resource.type="gce_instance" AND
(log_name:"/apache-access" OR log_name:"/apache-error")
Cassandra 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/cassandra"
Chef 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/chef-"
Gitlab 日志

resource.type="gce_instance"
log_name:"projects/[PROJECT_ID]/logs/gitlab-" 
Jenkins 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/jenkins"
Jetty 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/jetty-"
Joomla 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/joomla"
Linux 系统日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/syslog"
Magneto 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/magneto-"
Mediawiki 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/mediawiki"
memcached 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/memcached"
MongoDB 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/mongodb"
MySQL 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/mysql"
Nginx 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/nginx-"
Postgresql 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/postgresql"
Puppet 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/puppet-"
RabbitMQ 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/rabbitmq-"
Redmine 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/redmine"
Salt 日志

resource.type="gce_instance" AND
log_name:"projects/[PROJECT_ID]/logs/salt-"
Slow MySQL 查询

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/mysql-slow"
Solr 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/solr"
SugarCRM 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/sugarcrm"
Tomcat 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/tomcat"
Zookeeper 日志

resource.type="gce_instance" AND
log_name="projects/[PROJECT_ID]/logs/zookeeper"

网络查询

过滤条件名称 表达式
防火墙 - 所有日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Ffirewall"
各国家/地区的防火墙日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Ffirewall" AND
json_payload.remote_location.country=[COUNTRY_ISO_ALPHA_3]
各虚拟机的防火墙日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Ffirewall" AND
json_payload.instance.vm_name="[INSTANCE_NAME]"
防火墙子网日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Ffirewall" AND
resource.labels.subnetwork_name="[SUBNET_NAME]"
Compute Engine 子网络到某一子网的流量日志

resource.type="gce_subnetwork" AND
ip_in_net(json_payload.connection.dest_ip, "[SUBNET_IP]")
VPC 流日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows"
特定端口和协议的 VPC 流日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows" AND
json_payload.connection.src_port="[PORT_ID]" AND
json_payload.connection.protocol="[PROTOCOL]"
特定子网的 VPC 流日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows" AND
resource.labels.subnetwork_name"=[SUBNET_NAME]"
特定子网前缀的 VPC 流日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows" AND
ip_in_net(json_payload.connection.dest_ip,[SUBNET_IP])
特定虚拟机的 VPC 流日志

resource.type="gce_subnetwork" AND
log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows" AND
json_payload.src_instance.vm_name="[VM_NAME]"
VPN 网关日志

resource.type="vpn_gateway" AND
resource.labels.gateway_id="[GATEWAY_ID]"
HTTP 负载平衡器 5xx 错误

resource.type="http_load_balancer" AND
http_request.status>=500
HTTP 负载平衡器发送到 PHPMyAdmin 的请求

resource.type="http_load_balancer" AND
http_request.request_url:"phpmyadmin"

安全日志记录查询

过滤条件名称 表达式
审核日志 - 全部

log_name:"projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com"
审核日志 - Access Transparency (AXT)

log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Faccess_transparency"
审核日志 - 管理员活动

log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
审核日志 - 数据访问

log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access"
审核日志 - 系统事件

log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fsystem_event"

Google Cloud 的运维套件查询

过滤条件名称 表达式
日志接收器活动

resource.type="logging_sink" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
基于日志的指标创建或更新活动

resource.type="metric" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name:(UpdateLogMetric OR CreateLogMetric)
主机的正常运行时间网址检查

resource.type="uptime_url" AND
resource.labels.host="[URL]"

问题排查

如需详细了解高级查询语法和问题排查的说明,请转到高级日志查询

后续步骤

如需详细了解用于自定义这些查询的查询语法,请查看高级日志查询