Log Management and Analytics

Logs

This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.

Query

Query logs in Grail.

fetch logs

Note on process entity association

The log module, in certain situations, may associate multiple process group instances with a single log. This can occur when more than one process group instance opens a file in write mode or if there are multiple process group instances in a single container. In such cases, the dt.entity.process_group_instance and dt.entity.process_group may be reported as arrays. To prepare queries for such situations, use matchesValue instead of == for equality checks.

Attribute
Type
Description
Examples
content
string
stable
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
No keepalive from datasource statsd. Restarting
dt.entity.process_group
string
stable
The entity ID of the process group that has emitted the log.
Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.
Tags: entity-id
PROCESS_GROUP-E0D8F94D9065F24F
dt.entity.process_group_instance
string
stable
The entity ID of the process group that has emitted the log.
Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.
Tags: entity-id
PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
dt.source_entity
string
stable
The ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type. 1
Tags: entity-id
HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
LOG
log.iostream
string
stable
The I/O stream to which the log was emitted.
stdout; stderr
log.source
string
stable
Human readable attribute which allows to identify log stream. 2
Tags: permission
/var/log/messages; Windows Event Log; Docker Container Output; stdout
loglevel
string
stable
The log event severity level.
ERROR; INFO; TRACE
process.technology
string[]
stable
Technologies detected for the process.
[['Java', 'Tomcat'], ['Go', 'Envoy']]
span_id
string
experimental
A unique identifier for a span within a trace. The span_id is a 8-byte id and hex-encoded if shown as a string.
f76281848bd8288c
status
string
experimental
Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.
ERROR; WARN; INFO; NONE
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
trace_id
string
experimental
A unique identifier for a trace. The trace_id is a 16-byte id and hex-encoded if shown as a string.
357bf70f3c617cb34584b31bd4616af8
1

Value of this attribute will be based on one of dt.entity.<type> attributes value. That means that both attributes dt.source_entity and corresponding dt.entity.<type> will be set to the same ID.

2

Can contain e.g. a file path, standard output, an URI etc., depending on log stream type. The value should be stable for one logical source, so e.g. not affected by log file rotation digits.