Reviewing Logs and Log Anomalies

Last updated on 07 November, 2022

LogicMonitor performs anomaly detection on log events after they are ingested and mapped to a monitored resource.  Log anomalies represent log events that are new, or seen for the first time on the monitored resource it’s associated with. Any events that cannot be associated with an existing resource in LogicMonitor will be dropped.

You can see log anomalies in these places:

  • The Logs page, where you can review raw logs and investigate log anomalies across your entire infrastructure.
  • The Graphs tab for Alerts, where they are displayed contextually with metric alerts to help speed troubleshooting.

Logs Page

The Logs page provides an overview of recent log events and anomalies. Default time range is past 5 minutes. You can filter the time range on other available options, or create your own custom filter.

On the Logs page you can see raw logs and log anomalies across your entire environment, and search and filter for specific logs.

  • Search and filter logs: Use the query language to troubleshoot issues and summarize your logs for reports. For more information, see Query Language Overview.
  • Fields panel: Browse fields that exist in the events returned by the current query. You can see the number of events that contain a particular field value. Use the icons to show/hide fields as columns in the table. Use drag and drop to change their display order. Click the arrow icon to add a field and value pair to the query bar to refine a search. See Query Language Overview.
  • Anomaly column: Shows if the log event for the resource is an anomaly.
  • Severity column: Shows the alert severity for the log event.
  • More actions: For each log event line in the list, clicking on a Resource will provide options to view the Resource page or filter the Logs page on the resource. Clicking on the side menu to the left provides options to Copy log message or Create Alert Condition. See Log Alert Conditions.
  • Details panel: Click on a log row to open a panel with more information, including the full log event and its metadata. You can also find quick links to add metadata fields to your query filter and run a new search for the selected field and value with a plus/minus one minute window.
  • Log export: You can export log data for example to share with vendors when investigating issues. Click the Download Logs CSV icon in the upper right corner to download a CSV file. This will include the log rows you see on the screen. The file contains the internal ID of the log row, the time the log event was received, and the associated resource and log message. The file output format cannot be modified.

Note: It may take some time before logs from resources in a newly created resource group are included in the log count totals. This is because the log metadata is established at log ingestion, and using resource groups that existed at that time.

Aggregate Tab

Advanced searches include aggregation, processing, and formating operators that can help you to refine and modify your search results. See Advanced Search Operators. You can view the results of an advanced search with aggregation in the Aggregate tab. Sort the table by clicking the column headers.

Graphs Tab for Alerts

When you get alerted for an issue with a monitored resource, you can troubleshoot why the issue happened with log anomalies as additional context. 

If there are log anomalies related to a metric Alert, you can investigate them in the Graphs tab:

  • The log anomalies graph and table displays log anomaly occurrences and log messages over the time period of the alert.
  • The red line in the graphs indicate when the alert was triggered in relation to the log anomalies and graphed time series data.

In the log anomalies graph, you can open the dropdown menu and select “View Logs” to switch to the Logs page for further investigation. The Logs page will open with filters pre-selected on the Resource and the time period of the alert to display related log anomalies.

In This Article