All the logs that are ingested can be viewed from Explore ---> Discover page. This page offers a lot of options for you to search, filter, and view specific logs that are of interest to you. The main elements on this page are:
- Search Bar: using keywords or Lucene queries
- Dynamic Filter Bar: quickly filter logs based on agent, source, severity, and type
- Selected fields: the columns selected in Log Viewer. observIQ selects a time, type, severity, summary as the default columns.
- Available fields: a list of fields for a given query, filter, and time period
- Alerts: Navigate to Alerts with selected filters and query
- Live Tail: Navigate to Live Tail with selected filters and query
- Time Filter: adjust the time period or time range to explore your logsDynamic
- Log Viewer: a list of log events for a given query, filter, and time period. Newest at the top. Use the > to view the full contents of an event
Enter a search term or Lucene query in this search field. The search option and Lucene query syntaxes are outlined in detail in our “Search using Lucene queries" page. A simple search of a string is shown below. The string in the logs is highlighted to denote that they are the results of the search.
Clicking the alert icon navigates to the alert setup page, For additional information about Alert creation, check out our Alerts docs.
Clicking the live tail icon (shown in the image below) navigates to the Live Tail page with your selected filter and query and starts your session automatically.
Clicking the calendar icon displays the date and time selections that you can make to filter out logs that have been ingested during that period of time/ date. You can make the following selections:
- Last/Next: Use this option to display logs in the last “X” minutes or the Next “X” minutes. The next “X” minutes do not refer to the future logs. It is used to view logs that are “X” minutes before the current selection. The default time selection is 15 minutes.
- Commonly used searches: You can make a selection from the listed time-based search options that are commonly used. This listing by default would not be based on your usage. But as you use the time-based search more, the system displays searches that you commonly used.
- Recently used date ranges: Your most recent search criteria are listed here. You can choose to apply the same criteria from here.
- Refresh every: When you are analyzing your logs on the Discover page, if you wish to have the logs that you are viewing to be the most recent, you can set observIQ to automatically refresh after every “X” minutes/ seconds/ hours. When refreshing, your search and filter options are retained, to ensure that your analysis is never disrupted.
- Show dates: Use the “Show dates” option to search logs within a date range. There are three types of selections you can make here:
Absolute: Select a from date to the current date to filter logs based on an absolute date range.
Relative: Relative states the time period used for search and denotes if there’s any rounding off done when applying the search criteria. For instance, in the search criteria applied above, the date range selection can be rounded off to the whole week.
Now: Using this option you can set the end date to the current date and time.
The Dynamic Filter Bar allows you to quickly and easily filter your logs by Severity, Agent, Source, and Type.
Additionally, when selecting a Source or Agent, an additional layer of filter will display, providing deeper filtering options.
Source: The list of all sources that are set up in your account.
Type: Denotes the types of logs that are ingested by the agents. Every Source in observIQ has at least 1 corresponding log type.
- To add a filter click “Add filter”
- In the dialog that appears, select the following:
Field: Choose a field from the list of indexed fields
Operator: Set if the value for the filter should be the expected value or should include/ exclude the specified value.
Value: The value that is to be included/ excluded from the filtered results.
Create Custom Label: Enter a custom label for the filter. If this option is not selected, the default indexed label is used for the new filter.
You can add fields that you want to track to this list. Clicking the fields reveals the percentage breakdown of all values for that field. Use the “Remove” button to remove the field from the selected fields list.
A list of all indexed fields returned for the selected filters and query. Expanding field reveals a percentage breakdown of results. Clicking Visualize allows you to quickly graph the results of all values for that field.
Click the icon to expand each log entry. Expanding the logs reveals all the fields associated with the logged event.
Updated 12 months ago