• Home
  • Observe and explore
  • Logs
  • Log Monitoring v1
  • Log viewer v1

Log viewer v1

Legacy Log Monitoring v1

You are viewing documentation for Log Monitoring v1. Dynatrace Log Monitoring v1, is considered a legacy solution.

We strongly encourage you to switch to the latest Dynatrace Log Monitoring version.

  • Compare legacy Log Monitoring v1 to the latest version of Dynatrace log monitoring.
  • Switch to the latest version of Dynatrace log monitoring.

Log viewer

The Dynatrace log viewer is included in your host unit price free of charge. Dynatrace accesses and analyzes all logs that are stored on monitored host disks. To access the log viewer, in the Dynatrace menu, go to Logs and then select Analyze log files.

From the log viewer, you can access and examine only the logs that have been set to be monitored (stored).

On-demand logs

You can access any auto-discovered log by browsing through host or process screens and drilling down to the log that you are interested in. The log you drill down to will automatically be selected in the log viewer. Keep in mind that you can only view the log data for the past seven days and only one file at a time.

Logviewer 1

To view the logs for a selected process, use the log files list on individual Process pages. In the example below, the 'couchDB_ET' Process page displays two related log files. Clicking one of these opens the log viewer with that log pre-selected.

Logviewer 2

To view the logs for a selected host, use the log files list on individual host pages. Clicking one of these opens the log viewer with that log pre-selected.

Host screen indicating how to view logs.

Search patterns in log data and parse results

Log files typically contain a lot of text. One way to handle a large amount of text is to group similar log entries together and parse them. The Log Viewer enables you to present raw log data in a sortable, filterable table that is easy to work with.

Use the Log Viewer to browse through the contents of individual process log files or search selected log files using keywords. Only hosts or process groups active during the selected time frame are shown. Log results can be returned in either raw or aggregated form. You can parse the result table and narrow down the text pattern search result, show and hide specific columns, and define your own custom columns.

Bookmarks

Use a bookmark to save and reuse your search queries and filters. Any changes you make during your log analysis (log parsing and column filtering) will be saved in the bookmark. Using bookmarks, you can return to the same settings later. Remember that, the timeframe applied to bookmarked search queries and filters is the same time frame currently set on the page.

Share links

Sharing log analysis differs from bookmarks. The share link includes the selected time frame, so the person who receives the link sees exactly what you want to share in the time frame that you selected. The shared link is active only for the duration of the log retention period for that environment. Once the log retention period passes, the shared link does not work because no log data is available.

Search for text patterns in log files

To search log files for a text pattern, select the logs based on the host or process groups perspective, then search for a text pattern using the Dynatrace search query language (or leave the query box empty to return all results).

Using combinations of keywords, phrases, logical operators, and parentheses, the Dynatrace search query language provides you with complete flexibility over searches through important process-log content.

Show me everything

To return all results, leave the query box blank.

Text pattern query syntax

You can select or highlight sections or elements of the displayed log content to create or modify the text pattern search query. Select Run query to display the selected logs again.

CategoryDescriptionExample

Single–word terms

Single-word searches help you find individual word occurrences. Searches are case-insensitive.
Searched words in log files are defined as strings between any non-alphanumerical or white space character. For example, querying the string error matches both abc/error/def and error.html

plaintext
error

Phrases

Phrases are groups of words surrounded by double quotes. Phrases are treated just like single-word terms in queries. When a search phrase consists only of alphanumeric characters [a-zA-Z0-9], then the query is in fact a single-word term query, so the double quotes " " can be omitted.
You can NOT include any Boolean operators, wildcards, or groupings (see below) inside quoted phrases. Any character included within quotation marks is searched literally. For example, "what?" returns a match for what? but not for whats.

plaintext
"memory fault"
plaintext
"cat and dog"

Boolean operators

Operators can be written in either uppercase or lowercase: AND, && Log entry matches when it contains both surrounding strings. OR, || Log entry matches when it contains at least one of the surrounding strings. NOT Log entry matches when it DOES NOT contain a string after NOT. The logical operator AND is automatically inserted between single-word terms that are not surrounded by parentheses. For example, test failed is equal to test AND failed.
Precedence: NOT, AND, OR

plaintext
test AND failed
plaintext
error OR failure
plaintext
NOT passed

Grouping

Parentheses ( ) can be used to group clauses into sub-queries.

plaintext
(black OR red) AND label

Wildcards

Wildcards can be used to represent a variable or unknown alphanumeric characters in search terms. An asterisk * can be used to represent any string composed of alphanumeric characters. A question mark ? can be used to represent any single alphanumeric character.
Note: Single-character wildcard queries * or ? are not allowed.

plaintext
Start*
plaintext
*down
plaintext
ex*ed
plaintext
HTTP50?
plaintext
Imp???ible

Special characters

Special characters must be escaped with a \ (backslash) and the entire query must be enclosed in "" (double quotation marks). For example, to search for the following log entries: status\":502,\"statusText, in your query, you have to escape the \ and " double quotation marks. Also, you have to enclose everything in double quotation marks.

plaintext
"status\\\":502,\\\"statusText"

Sample queries

plaintext
Error AND Module1?2
plaintext
"Connection refused" OR Timeout
plaintext
Procedure AND (started OR stopped)
plaintext
Exception AND NOT repeat*

Advanced options

Select Advanced options to create columns based on values extracted from log data. The new columns are applied to the result of searching the log files for a text pattern. The extracted value will be the first matched per log entry.

Extract fields

To create a column, define a section of log data that should be extracted as a column. Provide a string directly preceding (val_pref) and directly following (val_suff) the value that you want to use in the column. If a match is found, everything between val_pref and val_suff will be extracted as a value in the column defined in the column declaration.

  • If you use any of the following special characters in a prefix or suffix, you need to escape them with a backslash (\):
    " - double quote
    % - percent
    , - comma
    \ - backslash
  • An extracted value type has to be one of the supported column types: INTEGER, NUMBER, STRING or BOOLEAN.
  • Matching for prefixes (val_pref) and suffixes (val_suff) is case-sensitive.
  • If the value between val_pref and val_suff doesn't match the type defined in the column type, no value will be returned for the defined column.
  • Only the first occurrence of a prefix counts. If there is no matching suffix, no value will be matched, even if a matching prefix-suffix combination occurs later in the log entry.
  • An empty suffix means matches from the prefix to the end of the log entry.
  • Whitespace isn't trimmed. The prefix and suffix have to match exactly. Additional spaces cause no match.

Column declaration is where you indicate the column type (col_type) and a column name (col_name) separated by a : (colon character).

Use the following syntax to define a column: "val_pref%{col_type:col_name}val_suff"

Literal column declaration

Because column declaration is literal, make sure you enclose it in quotation marks.

The column type determines how the value is matched against log data and greatly affects what is extracted as a value. The following are valid column types that you can use in column declaration:

INTEGER
Potentially extracted value:

  • May contain characters 0 - 9, and optionally at the beginning, + or -.
  • Can't contain spaces or underscores _.
  • Maximum token length is 20 characters.
  • Empty token is improper (doesn't imply column).
  • Represented value is in range of long Java type.
Custom columns for stored logs only

Custom columns can be applied only to centrally stored logs.

You can add, hide, or remove a custom column in your log display. Each column name must be unique. Don't use the name of any automatically detected column or repeat a custom column name you already used.

Example data that matches the INTEGER column type and will be extracted as a value in a defined column for the log entry in which it was matched:

plaintext
"1234"
"+1234"
"-1234"
Example data that does not match the INTEGER column type.

The following log data won't be listed as a value in a defined column if you use INTEGER column type:

plaintext
""
"123L"
"1_234"
"1 234"
"0x123"
"1234567890123456789012"

NUMBER
Potentially extracted value:

  • May contain characters +, -, ., e, E, and any digit between 0 - 9.
  • Must represent a decimal number in normal or scientific notation 123E456.

Example data that matches the NUMBER column type and will be extracted as a value in a defined column for the log entry in which it was matched:

plaintext
"123"
"123."
".123"
"123.4"
"123.4e12"
"123.4E56"
"+123.4e+12"
"-123.4e-12"
Example data that does not match the NUMBER column type.

The following log data won't be listed as a value in a defined column if you use NUMBER column type:

plaintext
""
"."
"123f"
"123,4"
"123e"
"123 e4"
"123e4.5"
"123.4e99"
"0x12.2P2"
Multiple column declarations

You can define multiple columns at the same time by separating each column declaration with a , (comma).
For example: "prefix1%{INTEGER:myColumn1}suffix1","prefix2%{INTEGER:myColumn2}suffix2"

STRING
All characters found between val_suff and val_suff will be treated and extracted as a string value in a defined column.

BOOLEAN
All characters found between val_suff and val_suff will be treated and matched as a boolean value in the log entry (true or false).

Field extraction examples

The following example illustrates the behavior of the extraction mechanism when specific values are used in a column definition. The output column represents the value for the log entry in the newly defined myColumn column.

Log entryPrefixSuffixColumn typeColumn definitionOutput

pref123suff

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

123L

pref123suff

pref

suff

NUMBER

"pref%{NUMBER:myColumn}suff"

123.0f

pref123suff pref456suff

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

123L

some text spanning
across multiple
pref123suff
lines of text

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

123L

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

-

pref123456""

pref

""

INTEGER

"pref%{INTEGER:myColumn}\"\""1

123456L

pref123456

pref

456

INTEGER

"pref%{INTEGER:myColumn}456"

123L

pref123suff""

pref

""

INTEGER

"pref%{INTEGER:myColumn}\"\""1

-

Pref123suff

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

-

pref 123 suff

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

-

pref
pref123suff

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

-

abc123def

pref

suff

INTEGER

"pref%{INTEGER:myColumn}suff"

-

pref-abc-suff

pref

suff

STRING

"pref%{STRING:myColumn}suff"

-abc-

pref:true,

pref:

,

BOOLEAN

"pref:%{BOOLEAN:myColumn}\,"1

true

1

If you use any special characters (", %, ,, \) in a prefix or suffix, you need to escape them with a backslash (\).

Column values filter

Filter for Run query only

This filter can be applied only to Run query results. It doesn't apply to Create metric.

You can apply a filter to the results of the text-pattern search, but only to the columns that aren't restricted (_Source, _Timestamp, _Content). Apply the filter to all manually and automatically parsed columns (including columns with extracted values in Advanced options). Both column names and values used in the filter are case-sensitive.

Filter for stored logs only

This filter can be applied only to centrally stored logs.

You can apply a filter to the results of the text-pattern search, but only to the columns that are not restricted (_Source, _Timestamp, _Content). Apply the filter to all manual and automatically parsed columns. Both column names and values used in the filter are case sensitive.

Every column contains a value of a specific type: string, number, integer, or Boolean true/false. Depending on the value type, the syntax of your filter can vary. For example, if the column is a number type and you assign a different value type (string, decimal, or true/false) in your filter, you will generate a parsing error.

  • Column names containing special characters (including spaces) must be enclosed in backticks.
    For example:

    plaintext
    `integer Column # 2` = 20

  • Filtered values containing quotation marks must be enclosed in double quotation marks.
    For example, the value path "test" error should be entered in the filter as:

    plaintext
    expath = "path ""test"" error"

  • Column values where the sum of the column name and value length exceeds 8191 characters are shortened with an ellipsis.

Bookmarks

An invalid column filter query will not be applied to already saved or shared bookmarks.

Filtering Syntax
CategoryDescriptionExample

Boolean

Boolean value. Wildcards aren't accepted for Boolean values (true or false).

plaintext
columnName = false
plaintext
columnName = true

Number

Number value; can be integer or decimal. Only . (period) floating point is supported and numbers must be presented without any spaces or other separators.

Number range for available types:

  • integer [-9,223,372,036,854,775,808 to 9,223,372,036,854,775,807]
  • decimal [±3.40282347E+38F] (6-7 significant decimal digits)

Wildcards aren't accepted for number type.

plaintext
columnName = 5
plaintext
columnName = 5.005

Phrase

Group of words surrounded by double quotes. Treated in search like a single word. Wildcards accepted inside the parentheses.

plaintext
columnName = "memory fault"
plaintext
columnName = "cat and dog"

Wildcard

Substitutes part of a single word term. Possible special characters:

  • ? – represents a single character
  • * – represents 0 (zero) or more characters

Wildcards aren't accepted for numbers and Boolean operators.

plaintext
columnName = "INF*"
plaintext
columnName = "WA?NING"
plaintext
columnName = "?INF*"
plaintext
columnName = "* and *"

Operator

AND - surrounding terms must exist

OR - one of the surrounding terms must exist

NOT - succeeding term or phrase must not exist

plaintext
columnName-A = "test" AND columnName-B < 200
plaintext
columnName-A = true OR columnName-B > 50
plaintext
NOT columnName-B = 200

Comparison

> (greater than)

< (less than)

>= (greater than or equal to)

<= (less than or equal to)

!= (not equal to)

= (equal to)

BETWEEN (range to test)

The AND operator must be present in this statement.

plaintext
integerColumn > 5
plaintext
integerColumn < 5
plaintext
integerColumn >= 5
plaintext
integerColumn <= 5
plaintext
integerColumn != 5
plaintext
integerColumn = 5
plaintext
integerColumn BETWEEN 9210084 AND 11420982

Group

Parentheses ( ) group clauses to form subqueries

plaintext
(columnName = "black" OR columnName = "red")
AND columnName = "label"