You are viewing documentation for Log Monitoring v1. Dynatrace Log Monitoring v1, is considered a legacy solution.
Log Monitoring v1 will reach the end of life and will be switched off in November 2023.
SaaS environments will be automatically upgraded to LMA or LMC.
We strongly encourage you to switch to the latest Dynatrace Log Monitoring version.
If you are currently using Dynatrace SaaS, upgrade to the latest version of Dynatrace log monitoring.
The Dynatrace log viewer is included in your host unit price free of charge. Dynatrace accesses and analyzes all logs that are stored on monitored host disks. To access the log viewer, go to Logs or Logs & Events (latest Dynatrace) and then select Analyze log files.
From the log viewer, you can access and examine only the logs that have been set to be monitored (stored).
You can access any auto-discovered log by browsing through host or process screens and drilling down to the log that you are interested in. The log you drill down to will automatically be selected in the log viewer. Keep in mind that you can only view the log data for the past seven days and only one file at a time.
To view the logs for a selected process, use the log files list on individual Process pages. In the example below, the 'couchDB_ET' Process page displays two related log files. Clicking one of these opens the log viewer with that log pre-selected.
To view the logs for a selected host, use the log files list on individual host pages. Clicking one of these opens the log viewer with that log pre-selected.
Log files typically contain a lot of text. One way to handle a large amount of text is to group similar log entries together and parse them. The Log Viewer enables you to present raw log data in a sortable, filterable table that is easy to work with.
Use the Log Viewer to browse through the contents of individual process log files or search selected log files using keywords. Only hosts or process groups active during the selected time frame are shown. Log results can be returned in either raw or aggregated form. You can parse the result table and narrow down the text pattern search result, show and hide specific columns, and define your own custom columns.
Use a bookmark to save and reuse your search queries and filters. Any changes you make during your log analysis (log parsing and column filtering) will be saved in the bookmark. Using bookmarks, you can return to the same settings later. Remember that, the timeframe applied to bookmarked search queries and filters is the same time frame currently set on the page.
Sharing log analysis differs from bookmarks. The share link includes the selected time frame, so the person who receives the link sees exactly what you want to share in the time frame that you selected. The shared link is active only for the duration of the log retention period for that environment. Once the log retention period passes, the shared link does not work because no log data is available.
To search log files for a text pattern, select the logs based on the host or process groups perspective, then search for a text pattern using the Dynatrace search query language (or leave the query box empty to return all results).
Using combinations of keywords, phrases, logical operators, and parentheses, the Dynatrace search query language provides you with complete flexibility over searches through important process-log content.
To return all results, leave the query box blank.
You can select or highlight sections or elements of the displayed log content to create or modify the text pattern search query. Select Run query to display the selected logs again.
Category
Description
Example
Single–word terms
Single-word searches help you find individual word occurrences. Searches are case-insensitive.
Searched words in log files are defined as strings between any non-alphanumerical or white space character. For example, querying the string error
matches both abc/error/def
and error.html
error
Phrases
Phrases are groups of words surrounded by double quotes. Phrases are treated just like single-word terms in queries. When a search phrase consists only of alphanumeric characters [a-zA-Z0-9]
, then the query is in fact a single-word term query, so the double quotes " "
can be omitted.
You can NOT include any Boolean operators, wildcards, or groupings (see below) inside quoted phrases. Any character included within quotation marks is searched literally. For example, "what?"
returns a match for what?
but not for whats
.
"memory fault"
"cat and dog"
Boolean operators
Operators can be written in either uppercase or lowercase: AND
, &&
Log entry matches when it contains both surrounding strings. OR
, ||
Log entry matches when it contains at least one of the surrounding strings. NOT
Log entry matches when it DOES NOT contain a string after NOT
. The logical operator AND
is automatically inserted between single-word terms that are not surrounded by parentheses. For example, test failed
is equal to test AND failed
.
Precedence: NOT
, AND
, OR
test AND failed
error OR failure
NOT passed
Grouping
Parentheses ( )
can be used to group clauses into sub-queries.
(black OR red) AND label
Wildcards
Wildcards can be used to represent a variable or unknown alphanumeric characters in search terms. An asterisk *
can be used to represent any string composed of alphanumeric characters. A question mark ?
can be used to represent any single alphanumeric character.
Single-character wildcard queries *
or ?
are not allowed.
Start*
*down
ex*ed
HTTP50?
Imp???ible
Special characters
Special characters must be escaped with a \
(backslash) and the entire query must be enclosed in ""
(double quotation marks). For example, to search for the following log entries: status\":502,\"statusText
, in your query, you have to escape the \
and "
double quotation marks. Also, you have to enclose everything in double quotation marks.
"status\\\":502,\\\"statusText"
Error AND Module1?2
"Connection refused" OR Timeout
Procedure AND (started OR stopped)
Exception AND NOT repeat*
Select Advanced options to create columns based on values extracted from log data. The new columns are applied to the result of searching the log files for a text pattern. The extracted value will be the first matched per log entry.
To create a column, define a section of log data that should be extracted as a column. Provide a string directly preceding (val_pref
) and directly following (val_suff
) the value that you want to use in the column. If a match is found, everything between val_pref
and val_suff
will be extracted as a value in the column defined in the column declaration.
\
):"
- double quote%
- percent,
- comma\
- backslashval_pref
) and suffixes (val_suff
) is case-sensitive.val_pref
and val_suff
doesn't match the type defined in the column type, no value will be returned for the defined column.Column declaration is where you indicate the column type (col_type
) and a column name (col_name
) separated by a :
(colon character).
Use the following syntax to define a column: "val_pref%{col_type:col_name}val_suff"
Because column declaration is literal, make sure you enclose it in quotation marks.
The column type determines how the value is matched against log data and greatly affects what is extracted as a value. The following are valid column types that you can use in column declaration:
INTEGER
Potentially extracted value:
0
- 9
, and optionally at the beginning, +
or -
._
.Custom columns can be applied only to centrally stored logs.
You can add, hide, or remove a custom column in your log display. Each column name must be unique. Don't use the name of any automatically detected column or repeat a custom column name you already used.
Example data that matches the INTEGER column type and will be extracted as a value in a defined column for the log entry in which it was matched:
"1234""+1234""-1234"
The following log data won't be listed as a value in a defined column if you use INTEGER column type:
"""123L""1_234""1 234""0x123""1234567890123456789012"
NUMBER
Potentially extracted value:
+
, -
, .
, e
, E
, and any digit between 0 - 9
.123E456
.Example data that matches the NUMBER column type and will be extracted as a value in a defined column for the log entry in which it was matched:
"123""123."".123""123.4""123.4e12""123.4E56""+123.4e+12""-123.4e-12"
The following log data won't be listed as a value in a defined column if you use NUMBER column type:
""".""123f""123,4""123e""123 e4""123e4.5""123.4e99""0x12.2P2"
You can define multiple columns at the same time by separating each column declaration with a ,
(comma).
For example: "prefix1%{INTEGER:myColumn1}suffix1","prefix2%{INTEGER:myColumn2}suffix2"
STRING
All characters found between val_suff
and val_suff
will be treated and extracted as a string value in a defined column.
BOOLEAN
All characters found between val_suff
and val_suff
will be treated and matched as a boolean value in the log entry (true
or false
).
The following example illustrates the behavior of the extraction mechanism when specific values are used in a column definition. The output column represents the value for the log entry in the newly defined myColumn
column.
Log entry
Prefix
Suffix
Column type
Column definition
Output
pref123suff
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
123L
pref123suff
pref
suff
NUMBER
"pref%{NUMBER:myColumn}suff"
123.0f
pref123suff pref456suff
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
123L
some text spanningacross multiplepref123sufflines of text
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
123L
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
-
pref123456
pref
456
INTEGER
"pref%{INTEGER:myColumn}456"
123L
Pref123suff
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
-
pref 123 suff
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
-
prefpref123suff
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
-
abc123def
pref
suff
INTEGER
"pref%{INTEGER:myColumn}suff"
-
pref-abc-suff
pref
suff
STRING
"pref%{STRING:myColumn}suff"
-abc-
If you use any special characters ("
, %
, ,
, \
) in a prefix or suffix, you need to escape them with a backslash (\
).
This filter can be applied only to Run query results. It doesn't apply to Create metric.
You can apply a filter to the results of the text-pattern search, but only to the columns that aren't restricted (_Source
, _Timestamp
, _Content
). Apply the filter to all manually and automatically parsed columns (including columns with extracted values in Advanced options). Both column names and values used in the filter are case-sensitive.
This filter can be applied only to centrally stored logs.
You can apply a filter to the results of the text-pattern search, but only to the columns that are not restricted (_Source
, _Timestamp
, _Content
). Apply the filter to all manual and automatically parsed columns. Both column names and values used in the filter are case sensitive.
Every column contains a value of a specific type: string, number, integer, or Boolean true/false. Depending on the value type, the syntax of your filter can vary. For example, if the column is a number type and you assign a different value type (string, decimal, or true/false) in your filter, you will generate a parsing error.
Column names containing special characters (including spaces) must be enclosed in backticks.
For example:
`integer Column # 2` = 20
Filtered values containing quotation marks must be enclosed in double quotation marks.
For example, the value path "test" error
should be entered in the filter as:
expath = "path ""test"" error"
Column values where the sum of the column name and value length exceeds 8191 characters are shortened with an ellipsis.
An invalid column filter query will not be applied to already saved or shared bookmarks.
Category
Description
Example
Boolean
Boolean value. Wildcards aren't accepted for Boolean values (true
or false
).
columnName = false
columnName = true
Number
Number value; can be integer or decimal. Only .
(period) floating point is supported and numbers must be presented without any spaces or other separators.
Number range for available types:
Wildcards aren't accepted for number type.
columnName = 5
columnName = 5.005
Phrase
Group of words surrounded by double quotes. Treated in search like a single word. Wildcards accepted inside the parentheses.
columnName = "memory fault"
columnName = "cat and dog"
Wildcard
Substitutes part of a single word term. Possible special characters:
?
– represents a single character*
– represents 0 (zero) or more charactersWildcards aren't accepted for numbers and Boolean operators.
columnName = "INF*"
columnName = "WA?NING"
columnName = "?INF*"
columnName = "* and *"
Operator
AND - surrounding terms must exist
OR - one of the surrounding terms must exist
NOT - succeeding term or phrase must not exist
columnName-A = "test" AND columnName-B < 200
columnName-A = true OR columnName-B > 50
NOT columnName-B = 200
Comparison
> (greater than)
< (less than)
>= (greater than or equal to)
<= (less than or equal to)
!= (not equal to)
= (equal to)
BETWEEN (range to test)
The AND operator must be present in this statement.
integerColumn > 5
integerColumn < 5
integerColumn >= 5
integerColumn <= 5
integerColumn != 5
integerColumn = 5
integerColumn BETWEEN 9210084 AND 11420982
Group
Parentheses ( ) group clauses to form subqueries
(columnName = "black" OR columnName = "red")AND columnName = "label"