Exploring logs

Get to the root cause of an issue by using out-of-the-box options such as queries, time range, fields, and so on. For example, you observed multiple log entries with 401 status in your Apache logs. A few of such entries might mean that users forgot their passwords. However, multiple entries from same IP address in a short time span might mean a security threat. Use the search options and narrow down the results to find the root cause. For quick references, add the filtered logs to dashboards.

The following video (2:53) illustrates how to analyze and visualize logs:


https://youtu.be/fggAxALVs0w

Search and analyze logs on the Explorer > Discover tab. The following figure highlights the important features of the page that help you in getting to the root cause of an issue.

Let's explore these features in detail. 

Index pattern overview

By default, an index pattern is created for you. All the logs are collected under this index pattern. You can neither delete this index pattern nor create a new one.

Searching for a specific information

Use the following options to search for a specific alphanumeric string:

  • Search field: Enter the string that you are looking for in a field. The format is: field_name:"search string".
  • Filter: Click Add Filter and select the field. Operators are available as per the data type of the selected field. Enter the string and save the filter.

Filtering search results by time range and date

You get the following options to set the date to narrow down your search results:

  • Specify days or hours since when you want to search results. For example, search results for last 15 minutes or last 7 days.
  • Set specific date and time (absolute or specific). For example, search results for Jul 18, 2022 18:00 hours till Jul 19, 2022 18:00 hours.

Fields available to filter logs

The fields identified in the logs are displayed in the Available fields section. Click a field to filter logs based on the field. To add a field as a column in the search result, click the + symbol that is shown when you move your mouse over the field name.

Tip

In place of the data type icon of a field, if you see the '?' sign, refresh the index on the index pattern page (Stack Management > Index pattern > index pattern name).

Supported time formats

The log generation time is saved in the @timestamp field. Time of the collected logs must be in the ISO 8601 ZULU format (example: 2022-02-20T12:21:32.756Z). If the log generation time is specified in any other format, the log generation time is saved in the @@timestamp field and the log collection time is saved in the @timestamp field. The log collection time is available in the Greenwhich Mean Time (GMT) timezone. 

If you are collecting logs by using an external agent like Logstash, Filebeat, and so on, the Epoch time format is supported. However, if you are collecting logs by using the Docker, Windows, or Linux connector, the Epoch time format is not supported. 

To save the search

Save the search query you have created with the help of the search field, available fields, time period, and so on. In future, access the saved search to get similar results.

  1. Click Save.
  2. Enter a name.
  3. To access the saved search, click Open.

To add the saved search to a visualization

Visualize the search results, save the search and add it to a visualization.

  1. Click Visualize > Create new visualization.
  2. Select the type of visualization that you want to use.
    For example, a line chart.
  3. Select the search that you have saved.
  4. Apply additional filters to the data and save the visualization.
  5. To add the visualization to a dashboard:
    1. Click Dashboard.
    2. You can create a new dashboard or edit an existing one.
    3. Click Add and select the visualization.


Was this page helpful? Yes No Submitting... Thank you

Comments