alibabacloud-sls-query is an Agent Skill that lets you use natural language to query and analyze Simple Log Service (SLS) log data in an AI Agent. After you install the skill, the Agent automatically converts your query intent into an SLS query statement, executes it, and returns structured analysis results.
Scenarios
Scenario | Description | Example prompt |
Log retrieval | Query log details based on conditions such as keywords, fields, status codes, Trace IDs, or user IDs. | Query the details of NGINX access logs where the status is greater than or equal to 500 in the last 10 minutes. |
SQL statistical analysis | Perform aggregation, grouping, sorting, Top-N analysis, trend analysis, or field projection on logs. | Find the top 10 APIs with the most 5xx errors in the last hour. |
Query statement generation | Converts natural language requests into SLS index query statements, SQL statements, or Structured Process Language (SPL) statements. | Generate a query statement to calculate the average latency and P95 latency by minute. |
Query optimization | Optimizes existing queries based on index configurations and field types to reduce unnecessary data scans. | Optimize the existing query statement to prioritize the use of field indexes and reduce unnecessary data scans. |
You can also use Simple Log Service to query and analyze logs by calling the MCP Server.
Prerequisites
You have created a Simple Log Service project and Logstore, and collected log data.
You have created an index for the target LogStore. You cannot execute SLS queries, SQL analysis, or SPL queries without an index.
Obtain the Alibaba Cloud account credentials required to access the destination project and Logstore.
WarningTo prevent credential leaks, do not paste your AccessKey ID or AccessKey secret into the Agent chat. Manage credentials using environment variables or an Alibaba Cloud command-line interface (CLI) configuration file.
Install the skill
alibabacloud-sls-query is published on Alibaba Cloud Skill and ClawHub and can be installed using the following methods.
Method 1 (recommended): Install using the npx command
The npx command is included with Node.js. Before you install the skill, run the following commands to confirm that your local environment is ready:
node -v
npx -vIf the terminal indicates that node or npx does not exist, go to the official Node.js website to download and install it.
Run the following command to install the alibabacloud-sls-query skill:
npx skills add aliyun/alibabacloud-aiops-skills --skill alibabacloud-sls-queryAfter the installation is complete, confirm that the alibabacloud-sls-query folder exists in the skills folder. Then, restart the Agent for the skill to take effect.
Method 2: Download and install manually
Download the alibabacloud-sls-query installation package from GitHub Releases. Unzip the package and copy the files to the skills installation folder of the Agent.
After copying, make sure the alibabacloud-sls-query folder exists in the skills folder. Then, restart the Agent to load the skill.
The skills installation folders for common Agents are as follows:
Agent | Project-level installation folder | User-level installation folder |
Claude Code |
|
|
Codex |
|
|
Qoder |
|
|
QwenCode |
|
|
OpenClaw |
|
|
Query and analyze logs
After installation, you can trigger the skill by describing your SLS query or analysis request directly in the Agent. The Agent automatically performs the following steps:
Checks the runtime environment (Alibaba Cloud CLI and SLS plugin).
Reads the index configuration of the destination Logstore.
Generates a query statement (index query, SQL, or SPL) based on your request.
Executes the query using the Alibaba Cloud CLI.
Outputs the formatted, structured results.
The first time you run a query, the Agent guides you through the installation of the Alibaba Cloud CLI and credential configuration. Follow the prompts to grant execution permissions and complete the configuration.
Best practices for prompts
The quality of your prompt directly affects the accuracy of the query results. A good prompt includes the following information:
The project name and Logstore name.
A clear query or analysis intent. For example, "Analyze the year-over-year change in request latency and calculate the average latency per minute."
The time range for the query. For example, "the last 15 minutes" or "from 10:00 to 11:00 on April 24, 2026, UTC+8".
The desired output format. For example, "return raw logs," "calculate the top 10," "show the trend by minute," or "return only these fields."
To improve query efficiency and reduce costs:
Narrow the time range as much as possible to avoid full scans.
Specify exact field names, such as
statusandrequest_uri, instead of using vague descriptions.If you need Top-N results, specify the number in the prompt, such as "Top 10".
The projects, Logstores, field names, and query results in the following examples are for demonstration purposes only. Replace them with your actual resource names and log fields.
Scenario 1: Query 5xx error logs from the last 15 minutes
Prompt
Query SLS Logstore where Project=prod-web and Logstore=nginx-access for requests with status >= 500 in the last 15 minutes, sorted in descending order by time.Example Agent output
Query mode: Index query.
Reason: The user requested raw logs based on a condition, which does not involve aggregation, sorting, analysis, or field projection. The status field is configured with a numeric type index, so a range query can be used directly.
Command executed:
aliyun sls get-logs-v2 \
--project prod-web \
--logstore nginx-access \
--from 1777016700 \
--to 1777017600 \
--query 'status>=500' \
--line 100 \
--offset 0 \
--reverse true
Query result:
| Time | status | request_uri | upstream_status | request_time | message |
| --- | ---: | --- | ---: | ---: | --- |
| 2026-04-24 15:59:31 | 502 | /api/order/create | 502 | 1.238 | upstream connect timeout |
| 2026-04-24 15:58:44 | 500 | /api/pay/notify | 500 | 0.412 | internal server error |
| 2026-04-24 15:57:09 | 502 | /api/order/create | 502 | 1.104 | bad gateway |
Conclusion: The 5xx raw logs from the last 15 minutes have been returned in descending order by time. The most recent errors are concentrated in /api/order/create.Scenario 2: Find the top 10 APIs with 5xx errors
Prompt
Find the top 10 APIs with the most 5xx errors in the last hour in the SLS Logstore prod-web/nginx-access.Example: Agent output
Query mode: Index query + SQL.
Reason: To find the top 10 APIs with the most 5xx errors, an index query is first used to filter for status codes from 500 to 599. Then, SQL is used to group by request_uri, count the errors, and sort the results.
Command executed:
aliyun sls get-logs-v2 \
--project prod-web \
--logstore nginx-access \
--from 1777014000 \
--to 1777017600 \
--query 'status in [500 599] | SELECT request_uri, count(*) AS errors FROM log GROUP BY request_uri ORDER BY errors DESC LIMIT 10'
Query result:
| Rank | request_uri | errors |
| --- | --- | ---: |
| 1 | /api/order/create | 186 |
| 2 | /api/pay/notify | 73 |
.....
| 10 | /api/user/login | 1 |
Conclusion: The API with the highest number of 5xx errors in the last hour is /api/order/create. Its error count is significantly higher than other APIs. Investigate this API and its backend dependencies first.Scenario 3: Compare the latency trend of the last hour with the same period yesterday
Prompt
In the SLS Logstore prod-web/nginx-access, analyze the change in average latency over the last hour compared to the same period yesterday. Calculate the average value per minute and determine if there are any significant latency anomalies.Example Agent output
Query mode: Index query + SQL
Reason: The request requires aggregating the average latency by minute for both the last hour and the same period yesterday. The results are then aligned by minute to calculate the change and the rate of change.
Command executed (for the last hour):
aliyun sls get-logs-v2 \
--project prod-web \
--logstore nginx-access \
--from 1777014000 \
--to 1777017600 \
--query "* | SELECT date_trunc('minute', __time__) AS minute, avg(request_time) AS avg_latency FROM log GROUP BY minute ORDER BY minute LIMIT 60"
Command executed (for the same period yesterday):
aliyun sls get-logs-v2 \
--project prod-web \
--logstore nginx-access \
--from 1776927600 \
--to 1776931200 \
--query "* | SELECT date_trunc('minute', __time__) AS minute, avg(request_time) AS avg_latency FROM log GROUP BY minute ORDER BY minute LIMIT 60"
Query result:
| Minute | Current average latency | Average latency (yesterday) | Change | Change rate |
| --- | ---: | ---: | ---: | ---: |
| 2026-04-24 15:00 | 0.132s | 0.118s | +14ms | +11.9% |
| 2026-04-24 15:01 | 0.141s | 0.116s | +25ms | +21.6% |
| 2026-04-24 15:02 | 0.338s | 0.129s | +209ms | +162.0% |
| 2026-04-24 15:03 | 0.351s | 0.131s | +220ms | +167.9% |
Conclusion: The overall average latency in the last hour is higher than the same period yesterday. The most significant increase occurred between 15:02 and 15:03, where the average latency increased by over 160%. Drill down by the request_uri, upstream_addr, or service dimension to identify the source of the increased latency.Scenario 4: Ask follow-up questions based on query results
The SLS Query Skill supports multi-turn conversations. You can ask follow-up questions based on previous query results to gradually narrow down your investigation.
First prompt
Find the top 5 APIs with the most 5xx errors in the last hour in the SLS Logstore prod-web/nginx-access.
Second prompt (follow-up based on the first result)
For the /api/order/create API, show the error count trend by minute to see if the errors occurred in a burst or were evenly distributed.
Third prompt (further drill-down)
Show the 5xx raw logs for /api/order/create between 15:02 and 15:05, and return the upstream_addr and message fields.
By asking follow-up questions, you can drill down from high-level statistics to raw logs for a specific time period to quickly identify the root cause of a failure.
Data security and privacy
The SLS Query Skill executes queries using the Alibaba Cloud CLI. The query process adheres to the following security principles:
Query requests are encrypted and transmitted over HTTPS. Log data is not passed through any third-party services.
The Agent generates and executes query commands locally. Log data is not sent to the AI model provider.
Credential information (AccessKey) is managed through the Alibaba Cloud CLI configuration file or environment variables and does not appear in the Agent chat history.
Do not paste your AccessKey ID or AccessKey secret directly into the Agent chat. To configure credentials, use the aliyun configure command.
Limits
Limits | Description |
Index configuration | An index must be created for the destination Logstore. If an index is not configured, no query types can be executed. |
Query timeout | The default timeout for a single query is 60 seconds. If a query times out, try narrowing the time range or simplifying the query conditions. |
Data scan volume | Query costs are related to the volume of data scanned. Narrow the time range and use field indexes to reduce unnecessary full scans. |
Runtime environment | Requires the Node.js runtime (to install the skill) and the Alibaba Cloud CLI (to execute queries). |
FAQ
Do I need to manually install the Alibaba Cloud CLI and the SLS plugin?
In most cases, manual installation is not required. When you submit a query request in the Agent, the Agent automatically checks the environment (aliyun version), enables AI Mode, sets the User-Agent, and updates the plugin.
If the Alibaba Cloud CLI is not installed on your local machine or the version is too old, the Agent provides installation or upgrade instructions. Run the commands provided by the Agent in your local environment to complete the setup.
How do I configure my Alibaba Cloud account credentials?
You can follow the Agent's prompts to configure your account credentials, or you can run the aliyun configure command manually. Multiple credential configuration methods are supported, such as AK, StsToken, OAuth, and RamRole. For more information, see Configure and manage identity credentials.
Are internal same-region endpoints, acceleration endpoints, and custom domains supported?
Yes. In your prompt, you can instruct the Agent to use a specific Endpoint by including the --endpoint <domain_name> parameter.
What should I do if the query results are inaccurate?
Check and optimize the following:
Confirm that the index is correctly configured for the destination field and that the field type matches the query condition. For example, the `status` field should be a long type, not a text type.
Specify clear field names, time ranges, and desired formats in your prompt to avoid ambiguity.
Review the query statement returned by the Agent to check if the logic is correct. Use follow-up questions to refine the query conditions.
Troubleshooting
IndexConfigNotExist error
This error indicates that the destination Logstore has no index configuration or the index configuration is empty.
Solution: In the Simple Log Service console, create an index for the destination Logstore. After the index is created, wait for new data to be indexed before you run the query again.
Unauthorized error
This error indicates that the current account or RAM user lacks the necessary permissions.
Solution: Grant the following permissions to the current account:
API name | Action | Resource |
GetLogsV2 |
|
|
GetIndex |
|
|
ProjectNotExist error
This error usually occurs if the project name is incorrect, the region is wrong, or you are accessing the wrong Endpoint.
Solution: Confirm the following information:
Is the project name accurate?
The region matches the project's region.
Check whether your network environment requires an internal same-region endpoint.