Log management and analytics

Latest Dynatrace
Reference

Log management and analytics is used for troubleshooting and monitoring your applications.

Audit logs

This section contains generic audit log information.

Query

Query audit logs in Grail.

fetch logs | filter isNotNull(audit.action)

Audit log - metadata

Categorization and information on the audit log.

Attribute	Type	Description	Examples
`audit.action`	string	stableAudited action.	`Access to Azure Resource Manager`; `New User Created`; `User added to Group`
`audit.identity`	string	stableUser name, service account name, or principal name that executes audited action.	`name.surname@example.com`
`audit.result`	string	stableResult of the audited action.	`Succeeded`; `Failed`
`audit.status`	string	stableStatus of the audited action.	`Started`; `In Progress`; `Succeeded`; `Failed`; `Active`; `Resolved`
`audit.time`	timestamp	experimentalTimestamp of the audited action.	`16/01/2025, 10:34 AM`
`authentication.is_multifactor`	boolean	experimentalReports whether the executant of the audited action has performed a multi-factor authentication.
`content`	string	stableUnstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.	`No keepalive from datasource statsd. Restarting`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`LOG`
`log.record.uid`	string	experimentalUnique identifier of the log record. Records sharing the same uid are considered duplicates and may be safely deduplicated. Two distinct log records MUST have different uid values. When logs are ingested from an external tool, this attribute will hold the original vendor log ID.	`c42dbd31-17b5-4270-b1a7-824a52e0d0e9`
`log.source`	string	stableHuman-readable attribute that identifies a log stream. ¹Tags: `permission`	`/var/log/messages`; `Windows Event Log`; `Docker Container Output`; `stdout`
`loglevel`	string	stableThe log event severity level.	`ERROR`; `INFO`; `TRACE`
`status`	string	experimentalOverall significance of log event, derived from log level. Only INFO and NONE values are allowed.	`INFO`; `NONE`
`timestamp`	timestamp	stableTime (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.	`1649822520123123123`

Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).

Audit log - audited object data

Information about the audited object.

Audit log - result

Information about the audited action result.

Attribute	Type	Description	Examples
`result.code`	long	experimentalError code associated with the result.	`0`; `50126`; `400`
`result.detail`	string	experimentalFurther details regarding the result.	`The user did not enter the right credentials`
`result.message`	string	experimentalBrief message attached to the result.	`User created successfully`; `Error validating credentials due to invalid username or password.`

Audit log - client

Information about the client app used by the identity to perform the audit action.

Attribute	Type	Description	Examples
`client.app.name`	string	experimentalThe name of the client application used to perform the request.	`MS Outlook`
`client.ip`	ipAddress	experimentalThe IP address of the client that makes the request. This can be IPv4 or IPv6.Tags: `sensitive-spans` `sensitive-user-events`	`194.232.104.141`; `2a01:468:1000:9::140`

Audit log - actor

Information regarding the actor who peformed the audited action.

Attribute	Type	Description	Examples
`actor.geo.city.name`	string	experimentalName of the city from which the actor operates.	`Rome`
`actor.geo.country.name`	string	experimentalName of the country from which the actor operates.	`Canada`
`actor.geo.location.lat`	string	experimentalThe approximate WGS84 latitude.	`45.505918`
`actor.geo.location.lon`	string	experimentalThe approximate WGS84 longitude.	`-73.614830`
`actor.ips`	ipAddress[]	stableList of the client's IP addresses (IPv4 or IPv6) from which the actor operates.	`[168.10.15.23, 2a01:468:1000:9::140]`

Audit log - device

Information regarding the device used by the identity peforming the audited action.

Attribute	Type	Description	Examples
`browser.name`	string	resource stableThe browser name.	`Chrome`
`browser.version`	string	resource stableThe browser version.	`Version 142.0.7444.176`
`device.id`	string	experimentalGUID that uniquely identifies the device which is used to perform the audited action.	`11c1add1-612a-483d-8b24-cccbb35d3306`
`device.name`	string	experimentalThe name associated with the device which is used to perform the audited action.	`DEVICE-HOFW9324FJN`
`device.os.name`	string	experimentalHuman-readable operating system name.	`MacOs`; `Windows`

Audit log - cloud provider

The cloud provider information (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`cloud.provider`	string	resource stableName of the cloud provider.	`alibaba_cloud`

Audit log - Azure tenant

The Azure tenant information (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`azure.tenant.id`	string	resource experimentalUnique, immutable identifier assigned to the Azure tenant.	`37c4add3-612a-483d-8b24-cccbb35d3306`
`azure.tenant.name`	string	resource experimentalName assigned to the Azure tenant.	`MyAzureTenant`

Audit log - AWS account

The AWS account (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`aws.account.id`	string	resource stableThe 12-digit number, such as 123456789012, that uniquely identifies an AWS account.Tags: `permission` `primary-field`	`123456789012`
`aws.account.name`	string	resource experimentalName associated with the AWS account.	`example.com`

Audit log - GCP organization

The GCP organization (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`gcp.organization.id`	string	resource experimentalUnique, immutable identifier assigned to an organization resource.	`123456789012`
`gcp.organization.name`	string	resource experimentalName assigned to the GCP organization.	`dynatrace.com`

Logs

This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.

Query

Query logs in Grail.

fetch logs

Logs fields

The log module, in certain situations, may associate multiple process group instances with a single log. This can occur when more than one process group instance opens a file in write mode or if there are multiple process group instances in a single container. In such cases, the dt.entity.process_group_instance and dt.entity.process_group may be reported as arrays. To prepare queries for such situations, use matchesValue instead of == for equality checks.

Attribute	Type	Description	Examples
`content`	string	stableUnstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.	`No keepalive from datasource statsd. Restarting`
`dt.entity.process_group`	string	resource stableThe entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use `matchesValue` instead of `==` for equality checks.Tags: `entity-id`	`PROCESS_GROUP-E0D8F94D9065F24F`
`dt.entity.process_group_instance`	string	resource stableThe entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use `matchesValue` instead of `==` for equality checks.Tags: `entity-id`	`PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F`
`dt.source_entity`	string[]	resource stableThe entity IDs of the log's source. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use `matchesValue` instead of `==` for equality checks. ¹Tags: `entity-id`	`['PROCESS_GROUP_INSTANCE-22714B95E4BF6AE0', 'PROCESS_GROUP_INSTANCE-D6DD5FF37FBEF0DF']`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`LOG`
`log.iostream`	string	stableThe I/O stream to which the log was emitted.	`stdout`; `stderr`
`log.record.uid`	string	experimentalUnique identifier of the log record. Records sharing the same uid are considered duplicates and may be safely deduplicated. Two distinct log records MUST have different uid values. When logs are ingested from an external tool, this attribute will hold the original vendor log ID.	`c42dbd31-17b5-4270-b1a7-824a52e0d0e9`
`log.source`	string	stableHuman-readable attribute that identifies a log stream. ²Tags: `permission`	`/var/log/messages`; `Windows Event Log`; `Docker Container Output`; `stdout`
`loglevel`	string	stableThe log event severity level.	`ERROR`; `INFO`; `TRACE`
`ordinal`	long	stableThe field is used to order records produced by a single source. It is monotonically increasing across successive records, but the step between values is unspecified. The field encodes only a local (source‑specific) ordering, not a global one, so it is typically used as a secondary sort key after the timestamp to preserve the original sequence when timestamp resolution is insufficient. Examples include a byte offset within the source file or the __SEQNUM field in systemd‑journald.	`1479670`
`process.technology`	string[]	stableTechnologies detected for the process.	`['Java', 'Tomcat']`; `['Go', 'Envoy']`
`span_id`	string	experimentalA unique identifier for a span within a trace. The `span_id` is an 8-byte id and hex-encoded if shown as a string.	`f76281848bd8288c`
`status`	string	experimentalOverall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.	`ERROR`; `WARN`; `INFO`; `NONE`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.	`1649822520123123123`
`trace_id`	string	experimentalA unique identifier for a trace. The `trace_id` is a 16-byte id and hex-encoded if shown as a string.	`357bf70f3c617cb34584b31bd4616af8`

The value of this field will be based on the value of one of the dt.entity.<type> fields. This means that the dt.source_entity and dt.entity.<type> fields will both be set to the same ID.

Log management and analytics

Latest Dynatrace
Reference

Log management and analytics is used for troubleshooting and monitoring your applications.

Audit logs

This section contains generic audit log information.

Query

Query audit logs in Grail.

fetch logs | filter isNotNull(audit.action)

Audit log - metadata

Categorization and information on the audit log.

Attribute	Type	Description	Examples
`audit.action`	string	stableAudited action.	`Access to Azure Resource Manager`; `New User Created`; `User added to Group`
`audit.identity`	string	stableUser name, service account name, or principal name that executes audited action.	`name.surname@example.com`
`audit.result`	string	stableResult of the audited action.	`Succeeded`; `Failed`
`audit.status`	string	stableStatus of the audited action.	`Started`; `In Progress`; `Succeeded`; `Failed`; `Active`; `Resolved`
`audit.time`	timestamp	experimentalTimestamp of the audited action.	`16/01/2025, 10:34 AM`
`authentication.is_multifactor`	boolean	experimentalReports whether the executant of the audited action has performed a multi-factor authentication.
`content`	string	stableUnstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.	`No keepalive from datasource statsd. Restarting`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`LOG`
`log.record.uid`	string	experimentalUnique identifier of the log record. Records sharing the same uid are considered duplicates and may be safely deduplicated. Two distinct log records MUST have different uid values. When logs are ingested from an external tool, this attribute will hold the original vendor log ID.	`c42dbd31-17b5-4270-b1a7-824a52e0d0e9`
`log.source`	string	stableHuman-readable attribute that identifies a log stream. ¹Tags: `permission`	`/var/log/messages`; `Windows Event Log`; `Docker Container Output`; `stdout`
`loglevel`	string	stableThe log event severity level.	`ERROR`; `INFO`; `TRACE`
`status`	string	experimentalOverall significance of log event, derived from log level. Only INFO and NONE values are allowed.	`INFO`; `NONE`
`timestamp`	timestamp	stableTime (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.	`1649822520123123123`

Audit log - audited object data

Information about the audited object.

Audit log - result

Information about the audited action result.

Attribute	Type	Description	Examples
`result.code`	long	experimentalError code associated with the result.	`0`; `50126`; `400`
`result.detail`	string	experimentalFurther details regarding the result.	`The user did not enter the right credentials`
`result.message`	string	experimentalBrief message attached to the result.	`User created successfully`; `Error validating credentials due to invalid username or password.`

Audit log - client

Information about the client app used by the identity to perform the audit action.

Attribute	Type	Description	Examples
`client.app.name`	string	experimentalThe name of the client application used to perform the request.	`MS Outlook`
`client.ip`	ipAddress	experimentalThe IP address of the client that makes the request. This can be IPv4 or IPv6.Tags: `sensitive-spans` `sensitive-user-events`	`194.232.104.141`; `2a01:468:1000:9::140`

Audit log - actor

Information regarding the actor who peformed the audited action.

Attribute	Type	Description	Examples
`actor.geo.city.name`	string	experimentalName of the city from which the actor operates.	`Rome`
`actor.geo.country.name`	string	experimentalName of the country from which the actor operates.	`Canada`
`actor.geo.location.lat`	string	experimentalThe approximate WGS84 latitude.	`45.505918`
`actor.geo.location.lon`	string	experimentalThe approximate WGS84 longitude.	`-73.614830`
`actor.ips`	ipAddress[]	stableList of the client's IP addresses (IPv4 or IPv6) from which the actor operates.	`[168.10.15.23, 2a01:468:1000:9::140]`

Audit log - device

Information regarding the device used by the identity peforming the audited action.

Attribute	Type	Description	Examples
`browser.name`	string	resource stableThe browser name.	`Chrome`
`browser.version`	string	resource stableThe browser version.	`Version 142.0.7444.176`
`device.id`	string	experimentalGUID that uniquely identifies the device which is used to perform the audited action.	`11c1add1-612a-483d-8b24-cccbb35d3306`
`device.name`	string	experimentalThe name associated with the device which is used to perform the audited action.	`DEVICE-HOFW9324FJN`
`device.os.name`	string	experimentalHuman-readable operating system name.	`MacOs`; `Windows`

Audit log - cloud provider

The cloud provider information (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`cloud.provider`	string	resource stableName of the cloud provider.	`alibaba_cloud`

Audit log - Azure tenant

The Azure tenant information (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`azure.tenant.id`	string	resource experimentalUnique, immutable identifier assigned to the Azure tenant.	`37c4add3-612a-483d-8b24-cccbb35d3306`
`azure.tenant.name`	string	resource experimentalName assigned to the Azure tenant.	`MyAzureTenant`

Audit log - AWS account

The AWS account (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`aws.account.id`	string	resource stableThe 12-digit number, such as 123456789012, that uniquely identifies an AWS account.Tags: `permission` `primary-field`	`123456789012`
`aws.account.name`	string	resource experimentalName associated with the AWS account.	`example.com`

Audit log - GCP organization

The GCP organization (if any) associated with the audit logs.

Attribute	Type	Description	Examples
`gcp.organization.id`	string	resource experimentalUnique, immutable identifier assigned to an organization resource.	`123456789012`
`gcp.organization.name`	string	resource experimentalName assigned to the GCP organization.	`dynatrace.com`

Logs

This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.

Query

Query logs in Grail.

fetch logs

Logs fields

Attribute	Type	Description	Examples
`content`	string	stableUnstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.	`No keepalive from datasource statsd. Restarting`
`dt.entity.process_group`	string	resource stableThe entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use `matchesValue` instead of `==` for equality checks.Tags: `entity-id`	`PROCESS_GROUP-E0D8F94D9065F24F`
`dt.entity.process_group_instance`	string	resource stableThe entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use `matchesValue` instead of `==` for equality checks.Tags: `entity-id`	`PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F`
`dt.source_entity`	string[]	resource stableThe entity IDs of the log's source. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use `matchesValue` instead of `==` for equality checks. ¹Tags: `entity-id`	`['PROCESS_GROUP_INSTANCE-22714B95E4BF6AE0', 'PROCESS_GROUP_INSTANCE-D6DD5FF37FBEF0DF']`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`LOG`
`log.iostream`	string	stableThe I/O stream to which the log was emitted.	`stdout`; `stderr`
`log.record.uid`	string	experimentalUnique identifier of the log record. Records sharing the same uid are considered duplicates and may be safely deduplicated. Two distinct log records MUST have different uid values. When logs are ingested from an external tool, this attribute will hold the original vendor log ID.	`c42dbd31-17b5-4270-b1a7-824a52e0d0e9`
`log.source`	string	stableHuman-readable attribute that identifies a log stream. ²Tags: `permission`	`/var/log/messages`; `Windows Event Log`; `Docker Container Output`; `stdout`
`loglevel`	string	stableThe log event severity level.	`ERROR`; `INFO`; `TRACE`
`ordinal`	long	stableThe field is used to order records produced by a single source. It is monotonically increasing across successive records, but the step between values is unspecified. The field encodes only a local (source‑specific) ordering, not a global one, so it is typically used as a secondary sort key after the timestamp to preserve the original sequence when timestamp resolution is insufficient. Examples include a byte offset within the source file or the __SEQNUM field in systemd‑journald.	`1479670`
`process.technology`	string[]	stableTechnologies detected for the process.	`['Java', 'Tomcat']`; `['Go', 'Envoy']`
`span_id`	string	experimentalA unique identifier for a span within a trace. The `span_id` is an 8-byte id and hex-encoded if shown as a string.	`f76281848bd8288c`
`status`	string	experimentalOverall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.	`ERROR`; `WARN`; `INFO`; `NONE`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.	`1649822520123123123`
`trace_id`	string	experimentalA unique identifier for a trace. The `trace_id` is a 16-byte id and hex-encoded if shown as a string.	`357bf70f3c617cb34584b31bd4616af8`

The value of this field will be based on the value of one of the dt.entity.<type> fields. This means that the dt.source_entity and dt.entity.<type> fields will both be set to the same ID.