Methods and systems described herein are directed to aggregating and querying log messages. Methods and systems determine event types of log message generated by event sources of the distributed computing system. The event types are aggregated into aggregated records for a shortest time unit and event types are aggregated into aggregated records for longer time units based on the aggregated records associated with the shortest time unit. In response to a query regarding occurrences of an event type in a query time interval, the query time interval is split into subintervals with time lengths that range from the shortest time unit to a longest time unit that lie within the query time interval. The method determines a total event count of occurrences of the event type in the query time interval based on the aggregated records with time stamps in the subintervals. The event count in the query time interval may be used to detect abnormal behavior of the event sources.