Logs Query Tracking
Last updated on 12 June, 2023Query tracking schedules the saved log query to run at five minute intervals and collects metrics each time the query runs. These time-series metric datapoints are saved for each tracked query instance and added to the Log Tracked Queries resource group.
Query tracking is useful for example to for usage monitoring to track counts for specific logs. The tracking feature creates an instance which will contain data from one year of searching. You can create dashboards and configure alerts for anomalies and events based on these metrics.
Note: Query Tracking is only available if you have the feature enabled for your account. When query tracking is enabled, all users in your account will have access to the feature as long as they have permissions to view the Logs Tracked Queries resource. For more information, contact your Customer Success Manager.
Enabling Tracking for a Saved Query
After you save a log filtering query, you can enable tracking for the query. Query tracking will be available for any individual log query that has been saved, as long as it is not an aggregate query.
Do the following to track a saved query:
- Run your filtering query and save it as a new view.
- Select Saved Views and search for the saved query.
- Select the query tracking icon to enable tracking of the selected query.
- Select Track query to confirm.
Once tracking is enabled, a new datasource instance is created to track the results of the query at five minute intervals. The following metrics are collected:
- A count of the matched logs.
- A count of the anomalies in the matched logs.
These metrics are saved to the tracked query instance in the resource group Log Tracked Queries. You can view the information in the resources’s Raw Data tab.
Disabling Tracking for a Saved Query
Do the following to untrack a query,
- Select the tracking icon on the tracked query.
- Select Untrack to confirm.
Note the following when disabling query tracking:
- New data will not be added to the tracked query instance.
- The tracked query metrics will still be available for a period of time, unless the instance has been removed from the Log Tracked Queries resource group.
- If you enable tracking again on the query and the instance has not been deleted, it will update with new metrics. Otherwise, a new instance will be created for the new metrics.
Updating a Tracked Query
If you change the search criteria of a query that is being tracked, the metrics before and after will be based on different searches.
- The update will be recorded in the audit log.
- If the query is updated to be an aggregate query, tracking will be removed.
Deleting a Saved Query
If you delete a tracked saved query, scheduling of the query will stop. The tracked query metrics will still be available for a period of time, unless the instance has been removed from the Log Tracked Queries resource group.
Note: If a user is deleted, all the saved queries owned by the user will also be deleted.
Query Tracking Limits
Your LogicMonitor portal supports up to 15 tracked queries. If you need to track more than the limit, please reach out to your Customer Success Manager.