Logs Query Tracking

Last updated - 18 September, 2025

Query tracking schedules the saved log query to run at five minute intervals and collects metrics each time the query runs. These time-series metric datapoints are saved for each tracked query instance and added to the Log Tracked Queries resource group.

Query tracking is useful for example to for usage monitoring to track counts for specific logs. The tracking feature creates an instance which will contain data from one year of searching. You can create dashboards and configure alerts for anomalies and events based on these metrics.

Creating and Managing Saved Views

Saved views let you store, organize, and manage log queries in LogicMonitor for faster access, consistent usage, and easier team collaboration.

Requirements for Saving a Log Query as a Saved View

To save a log query, you must have read access to at least one device log or deviceless log.

Saving a Log Query as a Saved View

1. In LogicMonitor, navigate to the Logs page.
2. In the search bar, enter your log query and select Get Query.
   
3. Select  Save view, provide a name for the new view, and select Save as new view.
   
   The saved view displays in the view dropdown menu.
4. To access the saved view, select the view from the dropdown menu or select Manage Saved Filters.
   
   In the Manage saved filters panel, the saved view displays under the Private tab in the Ungrouped group by default. It is marked as a favorite by default.
   

Managing Saved Views

1. In LogicMonitor, navigate to the Logs page.
2. Select the Views dropdown menu and then select Manage Saved Filters.
   
3. In the Manage saved filters panel, locate the view you want to manage.
4. Select More options.
   
5. From the menu, you can perform the following actions:
   • Copy Link URL — Copy a shareable direct link to the query.
   • Rename — Update the name of the saved view.
   • Duplicate — Clone the view and optionally assign it to a different log query group.
   • Track Query — Create a tracked query using the saved query.
   • Export — Download the saved view configuration as a JSON file.
   • Move — Reassign the saved view to another query group.
   • Delete — Remove the saved view from the group.

Updating a Saved View

1. In LogicMonitor, navigate to the Logs page.
2. From the Saved views dropdown menu, select the view you want to update.
   The query of the selected view displays in the query bar.
3. In the query bar, update the query and select Run Query. 
   Ensure the query is run successfully before saving.
4. Select  Save. 
   
5. In the dropdown panel:
   1. Ensure the saved view name is displayed.
   2. Select Update.
      The saved view is updated with the latest query and configuration.
6. Alternatively, to create a new view using the same query, in the dropdown panel:
   1. Change the name of the saved view.
   2. Select Save as new view.
      
      Note: The Save as new view option is disabled when modifying an existing saved view. To create a new view instead, rename the label before saving.
      

Creating and Managing Log Query Groups

You can organize and manage saved log queries in LogicMonitor by creating query groups. Groups help ensure consistent naming, improve organization, and enable collaboration across teams. You can also track saved queries to monitor query results as metrics using DataSources.

Creating a Log Query Group

1. In LogicMonitor, navigate to the Logs page.
2. Select the Views dropdown and then select Manage Saved Filters.
3. In the Manage Saved Filters panel, select Create Group.
4. In the Create New Group modal, enter a valid group name and description, and select Save.

Managing a Group

1. In LogicMonitor, navigate to the Logs page.
2. Select the Views dropdown menu and then select Manage Saved Filters.
3. In the Manage saved filters panel, locate the group you want to manage.
4. Select More options.
   
5. From the menu, you can perform the following actions:
   • Favorite All — Mark all queries in the group as favorites.
   • Unfavorite All — Remove all queries in the group from favorites.
   • Edit Group — Update the group name or description.
   • Delete Group — Remove the group. All saved views must be deleted or moved before deletion.
   • Export Group — Export the current group configuration as a JSON file.
   • Import — Import a list of saved views from a JSON file.

Enabling Tracking for a Saved Query

After you save a log query, you can enable tracking for a basic or for an aggregate query. Tracking is available only for the saved queries.

Do the following to track a saved query:

1. In LogicMonitor, navigate to the Logs page.
2. Select the Views dropdown and then select Manage Saved Filters.
3. In the Manage saved filters panel, locate the saved view you want to track.
4. Select More options, then select Track query.
   
5. In the dialog box:
   • Review or update the query name.
   • Confirm or modify the query expression.
     
6. Select Save to create the tracked query.

For a simple query, once tracking is enabled, a new datasource instance is created to track the results of the query at five minute intervals. The following metrics are collected:

• A count of the matched logs.
• A count of the anomalies in the matched logs.

These metrics are saved to the tracked query instance in the resource group Log Tracked Queries. You can view the information in the resources’s Raw Data tab.

When you enable tracking for an aggregate query, LogicMonitor creates a dedicated DataSource to track the query results at five-minute intervals. For aggregate queries, the resulting datapoints are dynamic and depend on the fields returned by the query.

Simple and Aggregate Query Examples

The following are the examples of datapoint names for the simple and aggregate query

• Query: * | avg(_size) as average, sum(_size) as sum, max(_size) as maximum
• Datapoints: average, sum, maximum

The following are the examples of simple and complex aggregate queries:

Query Type	Query Example
Simple Aggregate Query	_message ~ "Login Failure" | count,avg(_size),max(_size)
Complex Aggregate  Query	"StatusCode" | parse /StatusCode:(?<statusCode>\d+)/ as statusCode | parse /Latency:(?<latency>\d+)ms/ as latency | parse /Method:(?<method>\w+)/ as method | avg(latency) as avg_latency_ms, count by statusCode, method
Additional Example of Complex Aggregate  Query	* | count(_size), sum(_size) by _resource.name | num(_sum/1000000000) as GB | num(_sum/_count) as avg_size | sort by GB desc | limit 25

Disabling Tracking for a Saved Query

Do the following to untrack a query,

1. Select the tracking icon on the tracked query. 
2. Select Untrack to confirm.

Note the following when disabling query tracking:

• New data will not be added to the tracked query instance.
• The tracked query metrics will still be available for a period of time, unless the instance has been removed from the Log Tracked Queries resource group.  
• If you enable tracking again on the query and the instance has not been deleted, it will update with new metrics. Otherwise, a new instance will be created for the new metrics.
• When you re-enable tracking, the system updates the existing instance with new metrics as soon as it ingests the corresponding query logs. If the instance no longer exists, it creates a new one.

Updating a Tracked Query

If you change the search criteria of a query that is being tracked, the metrics before and after will be based on different searches. 

• The update will be recorded in the audit log.
• If the query is updated to be an aggregate query, tracking will be removed.

Deleting a Saved Query

If you delete a tracked saved query, scheduling of the query will stop. The tracked query metrics will still be available for a period of time, unless the instance has been removed from the Log Tracked Queries resource group.

Query Tracking Limits

LogicMonitor portal supports up to 300 tracked queries in total:

• 250 tracked non-aggregate queries
• 50 tracked aggregate queries

The limits for aggregate and non-aggregate queries are managed separately.