Viewing Logs and Log Anomalies
Last updated on 09 June, 2023LogicMonitor performs anomaly detection on log events after they are ingested and mapped to a monitored resource. Log anomalies represent log events that are new, or seen for the first time on the monitored resource it’s associated with.
You can see log anomalies in these places:
- The Logs page, where you can review raw logs and investigate log anomalies across your entire infrastructure.
- The Graphs tab for Alerts, where they are displayed contextually with metric alerts to help speed troubleshooting.
Exploring Logs
The Logs page provides an overview of recent log events and anomalies. Default time range is past 5 minutes. You can filter the time range on other available options, or create your own custom filter.
Note: For performance reasons the maximum search range is limited to 31 days. Logs are however retained for a longer period. To get logs for a full year, you can do multiple month queries (search for May, June, July, and so on).
On the Logs page you can see raw logs and log anomalies across your entire environment, and search and filter for specific logs.
- Search and filter logs—Use the query language to troubleshoot issues and summarize your logs for reports. For more information, see Query Language Overview.
- Fields panel—Browse fields that exist in the events returned by the current query. You can see the number of events that contain a particular field value. Use the icons to show/hide fields as columns in the table. Use drag and drop to change their display order. Select the arrow icon to add a field and value pair to the query bar to refine a search. For more information, see Query Language Overview.
- Anomaly column—Shows if the log event for the resource is an anomaly. For more information, see Anomaly Detection.
- Severity column—Shows the alert severity for the log event.
- More actions—For each log event line in the list, selecting a Resource will provide options to view the Resource page or filter the Logs page on the resource. Select the options menu to the left to see options to Copy log message or Create Alert Condition. For more information, see Log Alert Conditions.
- Details panel—Select a log row to open a panel with more information, including the full log event and its metadata. You can also find quick links to add metadata fields to your query filter and run a new search for the selected field and value with a plus/minus one minute window.
- Log export—You can export log data for example to share with vendors when investigating issues. Select the Download Logs CSV icon in the upper right corner to download a file in CSV format. The file will include the columns you have on the screen. Only the Time column with the time the log event was received is default. Scroll down to add the desired number of log rows to include in the download file.
Note: It may take some time before logs from resources in a newly created resource group are included in the log count totals. This is because the log metadata is established at log ingestion, and using resource groups that existed at that time.
Note: When changing the display name for a resource and searching for log entries for it, it may take some time before the new name is applied. If your search includes a time after the name change, the new name is displayed. If your search includes a time before the name change, the old name may be displayed.
Log Aggregates
Advanced searches include aggregation, processing, and formating operators that can help you to refine and modify your search results. For more information, see Advanced Search Operators. You can view the results of an advanced search with aggregation in the Aggregate tab. Sort the table by selecting the column headers.
You can also select the Merge Y-axis icon in the upper right of the graph to merge the value display on the Y axis. This is useful if you have two or more items in your graph, where some values are high and some are low. When merging the Y axis, the highest and lowest value of all the series are used as reference for all items, and the graph is adjusted accordingly. The lowest value is most commonly zero.
You can print the aggregated view to use as a report in PDF format for sharing.
Viewing Logs in Context
You can also review logs in context of other parts of the LogicMonitor platform when troubleshooting and solving issues.
Resources Page
From the Resources page, select the desired resource or resource group, and select the Logs tab. By default this shows logs from the last 5 minutes for the selected resources or groups. You can change this to show logs for a time range up to 30 minutes. From Resources you can open the Logs page to continue investigating logs.
Graphs Tab for Alerts
When you get alerted for an issue with a monitored resource, you can troubleshoot the issue with log anomalies as additional context in the Alerts page.
If there are log anomalies related to a metric Alert, you can investigate them in the Graphs tab:
- The log anomalies graph and table displays log anomaly occurrences and log messages over the time period of the alert.
- The red line in the graphs indicate when the alert was triggered in relation to the log anomalies and graphed time series data.
In the log anomalies graph, select “View Logs” from the drop-down menu to switch to the Logs page for further investigation. The Logs page will open with filters preselected on the Resource and the time period of the alert to display related log anomalies.