Log Analytics 2019 - Coralogix partners with IDC Research to uncover the latest requirements by leading companies

FREE REPORT

TUTORIALS

Log query – simply retrieve your data

Coralogix brings a whole new approach to machine data analytics with its Loggregation and anomaly detection capabilities, but sometimes all you need is to query your data and get fast reliable results.

Coralogix’s Log query brings an intuitive interface with a flexible query and Grid layout options to allow you to query any data in seconds. In addition, Coralogix’s log query uses the unique capabilities of log template identification to enable you to query a log template regardless of its parameters without using any query language or defining regular expressions.

Tutorial:

1 – Click the Logs icon on your dashboard to open the log query interface

coralogix log query with logs tab highlighted

2 – Define the query text and time window (default is last 15 min), note that you can run queries based on Elastic ‘simple query’ or run a free-text query, just hover the test tube icon (on the top left to the query space) for instructions. Click ‘GO’ to get results in seconds, or ‘Clear’ to reset the query back to default. Once you get the query results, you can see that the occurrences graph above the retrieved log records was changed as we filtered out log entries that didn’t answer our search criteria.

coralogix logs page view

Coralogix supports the following query types:

Unstructured logs

  • Google-styled search query – match any log with the combination of words queried on the entire log payload. Querying Coralogix is will return the logs Coralogix is the best, Coralogix query is flexible and is Coralogix the best.
  • To match an exact string use the following query form: text:”your string”. Thus text:”Coralogix is” will return just the log Coralogix is the best.

JSON structured logs

  • Google-styled search query as described above.
  • Elastic simple query – with word tokenization according to word delimiters*. Querying Key:first-name will return both the log {“Key”:”my first name is John”} and {“Key”:”the first participant’s name is John”}You can add a regex to the query with the following convention: user_id:/.*a8ffe/, which will return only logs whose user_id value (or a specific token within user_id) ends with a8ffe; e.g. {“user_id”:”10aefa8ffe”}, {“user_id”:”48cdn9 –  555, ggypla8ffe”}.
  • Keyword search – add the ‘.keyword’ suffix to the field name to query data without tokenization so that Key.keyword:first-name* will return the log {“Key:”first-name: John”} and also {“Key”:”first-name: Bob”} but won’t return the log {“Key”:”The first participant’s name is John”} as it looks to match the exact phrase ‘first-name’ at the beginning of the text. You can add a regex to the keyword query with the following convention: Key.keyword:/.*first.*John.*/, which will return only the logs {“Key”:”first-name: John”} and the log {“Key”:”The first participant’s name is John”}.

Note:

  • Word delimiter* tokenizers are available here.
  • In order for a query to match, the searched phrase/word should match a full token.


Example 1

our log:
{
     “user” : “John”,
     “post” : “Going for cookies cream is a real treat”
}

The field ‘post’ has the following tokens: going, for, cookies, cream, is, a, real, treat
The query: post:cook – no match as it isn’t matching any token
The query: post:cream – fully matches the token cream
The query: post:cook* – fully matches the token cookies
The query (using double quotes to capture a phrase): post:”real treat” – fully matches the exact combination, ‘real treat’, hence we have a match.

Example 2

our log:
{
     “aircraft” : “Boeing”,
     “message” : “flight number fly1234paris has been delayed”
}

The field ‘message’ has the following tokens: flight, number, fly1234paris, has, been, delayed
The query: message:delayed – fully matches the token delayed
The query: message:paris – no match as it isn’t matching any token
The query: message:fly1234paris – fully matches the token fly1234paris

Example 3

When performing a keyword search (by adding the suffix .keyword to the Elastic field’s name as described in #2), no tokenization is performed and the ‘key.keyword’ field populates the entire string (with one limitation – if its string is longer than 70 characters it is truncated so ‘key.keyword’ holds the first 70 characters of its own string).

our log:
{
    “aircraft” : “Boeing”,
     “message” : “flight number fly1234paris has been delayed”
}

message.keyword token is the entire string: flight number fly1234paris has been delayed.

The query: message.keyword:delayed – no match as it isn’t matching the token in full

The query: message.keyword:flight – no match as it isn’t matching the token in full

The query: message.keyword:flight* – fully matches the message.keyword field’s token

The query (using Regex): message.keyword:/.*paris.*/ – fully matches the message.keyword field token

coralogix log query google search

coralogix log query with elastic simple query

3 – To query the surroundings of a log on your results simply mark that log, click the ‘Query selected log before & After’ button, and select the desired timeframe. This will retrieve all logs prior and after the selected log from the same application and subsystem.

coralogix log query before and after

5 – To view long text logs, mark a text for querying/alerting, or to visualize JSON fields, simply mark a log and click the 3 dots that will appear or press the ‘space’ button. 

coralogix info panel

6 – Use Loggregation to view the unique appearances of your logs and their variable models (Note it takes 24H for Loggregation to become active)

coralogix log query loggregation

Start using Coralogix now and enjoy a whole new world of simple and flexible ways to retrieve your data.

Start solving your production issues faster

Let's talk about how Coralogix can help you better understand your logs

No credit card required

Get a personalized demo

Jump on a call with one of our experts and get a live personalized demonstration