Log Management and Analytics
Logs
This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.
Query
Logs can be queried in Grail with the following query:
fetch logs
Attribute
Type
Description
Examples
contentstring
experimental
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
No keepalive from datasource statsd. Restartingevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionLOGlog.iostreamstring
stable
The I/O stream to which the log was emitted.
The I/O stream to which the log was emitted.
stdout; stderrlog.sourcestring
/var/log/messages; Windows Event Log; Docker Container Output; stdoutloglevelstring
stable
The log event severity level.
The log event severity level.
ERROR; INFO; TRACEprocess.technologystring[]
experimental
Technologies detected for the process.
Technologies detected for the process.
[['Java', 'Tomcat'], ['Go', 'Envoy']]statusstring
experimental
Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.
Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.
ERROR; WARN; INFO; NONEtimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
16498225201231231231
Can contain e.g. a file path, standard output, an URI etc., depending on log stream type. The value should be stable for one logical source, so e.g. not affected by log file rotation digits.