Log events

Dynatrace version 1.224+

Dynatrace log monitoring gives you the ability to create log events based on log data and use them in problem detection.

When Dynatrace ingests log data, it applies the query specified in the log event definition. Every matched occurrence triggers a log event that can be configured to individually create a problem for each triggered log event or can be merged into one problem.

Create a log event

  1. In the Dynatrace menu, go to Settings > Log Monitoring > Log events and select Add log event.

  2. Enter the Summary.
    The summary acts as the display name of the log event configuration. The summary must be unique for all configurations.

  3. Enter the Log query.
    Enter the log monitoring query to filter the log data for your log event. For details, see Log viewer.

  4. Configure the Event template.

    • Provide the Title of the event to trigger. If this log event triggers a problem, this title will also be the title of the problem.

    • Provide the Description of the event. Note that you can have one or more placeholders in the description (see Placeholders below for details).

    • Select the Event Type. Event types indicate the severity of the event. See Event types.

  5. Choose whether to Allow merge.
    If two or more events are triggered, Dynatrace could merge these events into a single problem. This option lets you choose to disable this behavior, which can result in more reported problems.

  6. Add Properties.
    A property is a key/value pair that is set on every triggered event. You can have one or more placeholders as a value that will be extracted from the log data. For example, a property with Key set to PGI and a Value of placeholder {dt.entity.process_group_instance} will extract the process group instance value from log data once the event is triggered. If the placeholder substitution fails, both the key and the value will not be available.

Placeholders

Placeholders are log entry attributes that can be used to extract the actual value from the log data.

  • You can use any attribute listed in the log viewer for a given log entry as a placeholder to extract that attribute value.
  • You can use additional log entry attributes in the log viewer as placeholders for the values they represent in the log data. Enclose placeholder values in brackets (for example, {dt.process.name}).

Example

In this example, we create a log event based on ingested log data. This log event will be triggered when the ingested log entry matches the log query. The log query will search for status error on the 555f5555-555a-5dd5-55f555a5b55d host. We add log event properties (attributes) that will extract values from the log data and include it in the problem summary.

  1. In the Dynatrace menu, go to Settings > Log Monitoring > Log events and select Add log event.
  2. Set the following:
    • Summary: syslog-agent log event
    • Log query: status="error" AND host.name="555f5555-555a-5dd5-55f555a5b55d"
    • Event template - Title: [Log] log events demo
    • Event template - Description: {content}
    • Event template - Event type: Custom alert
  3. Turn off Allow merge.
  4. For Properties, add the following two properties:
    • Key K8 Id with value {dt.kubernetes.config.id}
    • Key Process Name with value The process name is -> {dt.process.name}
  5. Save your changes and wait for log data to be ingested.

If a match is found, this log event will create a problem with each triggered log event.

Problem created by defined log events.

The problem created as a result of a triggered log event will contain the information mapped from your log event configuration. The problem title is the Event title and the impact section reflects your Event type settings and additional information you configured in the description and properties of the log event.

Note that, in this example, while we have configured two properties (K8 Id and Process Name), only one appears on the problem page. This is because only the {dt.process.name} placeholder had a value in the ingested log data. The {dt.kubernetes.config.id} value was not found in that particular log entry and the defined property was ignored.