Using the Console

You can perform log searches by using either the Basic mode filter controls in the interface, or the Advanced mode custom query language interface. See Basic Search Queries and Advanced Search Queries for more information.

Note

Only a 14-day range is available when performing log search queries.

Basic Search Queries

To search and filter logs:

Open the navigation menu and click Observability & Management. Under Logging, click Search.
In Custom filters, you can start typing to automatically display filter settings, along with operators. For example, entering d displays filters starting with that letter. Use the up or down arrow keys to select from the list, or continue typing to enter what you want to filter on. For example, data.compartmentName='<tenancy_name>'.
In Select logs to search, the root compartment is already selected by default for filtering. Click this field to open the Select logs to search panel, where you can filter by compartments you have permission to work in, in addition to filtering by Log Groups and Logs. You can filter by multiple compartments and log groups. For any filters you create in this panel that you want to remove, click the filter X icon in the Select Logs to Search field.
You can limit results to a specific time range. In Filter by time, select a predetermined time range from the list, or select Custom to specify a date range in the calendar Start Date and End Date. You can also specify a time value in the box next to the calendar. Use an end time to refine the time window.
The log data in the Explore and Visualize tabs is reloaded according to your filter settings, or you can click Search to apply the filter.

Note

Since the Search page automatically refreshes after applying filters and selecting logs, you do not need to click the Search button as you select different filters. You will, however, need to click Search again after some time has passed and new logs have appeared. When performing Advanced Mode queries however, you do need to always click this button to submit a query.

Note

Filter settings are maintained when switching to Advanced Mode.

To remove a filters from the Search page, under Filters, click the X icon next to the filter.

See Viewing and Working with Search Results for more information on search results, and Visualizing Search Results for more information on visualizing Basic Mode searches.

Advanced Search Queries

When performing a search on the Logging Search page, you can click Show Advanced Mode to enter your own custom log search queries. In addition, Advanced Mode searching provides more comprehensive search options that are not available in Basic Mode.

Be default, the following is displayed in the Query field after clicking Show Advanced Mode:

search "ocid1.tenancy.oc1..<unique_id>" | sort by datetime desc

For example, you can modify this default search by entering:

search "ocid1.tenancy.oc1..<unique_id>" | sort by datetime desc
| summarize count() as cnt by rounddown(datetime,  '15m') as interval

This returns {"interval": 1600364700000,"cnt": 31} and {"interval": 1600365600000,"cnt": 220} under Log Data in the Explore tab.

When entering search queries, auto-complete hints are providing as you type (which you can select from a pop-up menu as you type), and syntax validation is performed in real time in the background as you type a query.

Note

When you switch from Advanced Mode to Basic Mode, the query is lost and is not available in Basic Mode. A warning is displayed for this scenario to confirm your preference.

The Advanced Mode search uses a specific syntax, using the Logging query language, which is described in Logging Query Language Specification .

See Viewing and Working with Search Results for more information on search results, and Visualizing Search Results for more information on visualizing Advanced Mode searches.

Saved Searches

You can save the search parameters that you use for any searches performed in both Basic Mode and Advanced Mode.

To save a search:

Open the navigation menu and click Observability & Management. Under Logging, click Saved Searches.
Under List Scope, Compartment, choose a compartment you have permission to work in. The Saved Searches page is displayed.
You can start the save operation using one of these two methods:
- From the Saved Searches page, click New Search, which opens the Logging Search page, where you can begin a search.
- From the Search page directly, whether in Basic Mode and Advanced Mode.
Apply filter and search settings as described in Basic Search Queries and Advanced Search Queries.
Click Save search. The New Saved Search panel is displayed.
In Search Name, enter a name to associate with your saved search. Avoid entering confidential information.
In Compartment, select a compartment you have permissions to work in.
In Description, enter a description for the saved search.
Click Save Search to save your search.
Note

The Search Query field cannot be edited and is view-only. It only displays the contents of your search parameters.
The search is saved and a message appears with the linked name of your saved search. Clicking the linked saved search name opens the details page for the saved search, where you can view more information about it. This page displays the following on the Saved Search Information tab:
- OCID
- Region
- Compartment
- Description
- Created date and time in UTC format.
- Last Modified date and time in UTC format.
- Search Query view-only description of the search parameters in the saved search.
- The Tags tab shows associated tags for this log.
- Under Latest Results, log data is displayed under Saved Search Data, in a similar manner as the Log Data on the Search page. You can apply some simple filters, such as sorting by newest or oldest from the Sort field, or filtering by time from the corresponding Filter by time field.
Click Explore with Log Search, which allows you to view this saved search on the Search page directly. After clicking this link, the Search page opens with the saved search loaded, whether it is a basic or advanced mode search. At this point, you can perform more analysis and investigation related to this search directly on the Search page. For more information, see Searching Logs.

While on the Search page, you can also switch between any of the saved searches by selecting them from the Saved Searches list.

Note

When editing a saved search from the Saved Searches page, you can only change the Search Name, Compartment, and Description fields in the Edit Saved Search panel. If you need to change the search parameters, create a new saved search.

Searching Multiple Regions

When performing either a basic search or advanced search on the Search page, you can search for logs from not only your home region, but also across multiple Oracle regions.

Multi-region search allows you to centrally run queries from the same location, rather than having to run a duplicate query in other regions. As result, you can more broadly search for logging events. When searching multiple regions, the results are fetched from the regions and the results are displayed on the Search page.

Note

The maximum number of search results for all regions is 10000.

To search multiple regions:

Select More search options. The Select regions to search field is displayed. By default, the field is populated with your active home region.
To add more regions, click the field. The Select regions to search panel is displayed.
Select the extra regions you want to search, and click Update regions.
On the Search page, the Select regions to search field is updated with the extra regions you have selected, and the log data in the Explore tab is reloaded according to your multi-region search settings. The Visualize tab is not available for this type of search. Under the Explore tab, when you have toggled regions off in the Show/hide regions in results panel, the tab indicates that you are viewing filtered region results.

Note

With multi-region search, you cannot create Service Connectors. You can use the Saved Searches feature in Oracle Cloud Infrastructure Logging, however, a saved search can only save the query aspect of the logging search. Multiple regions that you select are not saved.

Viewing and Working with Search Results

After you get an initial set of results, you can view more details, whether in terms of the log fields, JSON, or before and after states, and visually as a chart. On the Explore tab, a Number of log events per minute bar graph displays the number of log events, according to your filter settings. The Explore tab displays a maximum of 100 search results.

Note

To see the latest logs, ensure you click Search after time has passed while on the Search page.

Note

For any actions taken on the Explore and Visualize tabs, you can define how often to refresh the data on the Search page by selecting a value from the Autorefresh list (choose from OFF, 5 Minutes, or 15 Minutes). The default is OFF.

Your search results can also be visualized. See Visualizing Search Results for more information.

To search with Quick Start Queries

You can quickly search according to several predetermined queries. From Quick Start Queries, select a query from the list. The Search page displays the results for the chosen query.

To examine a single log entry

On the Explore tab, click the down arrow ( Logging down arrow ) to expand the log entry in JSON view.

The JSON view is displayed. In JSON view you can view the log data fields and values, collapse and expand nodes, or click the copy icon to copy the log entry to the clipboard.

To view all log data

From the Explore tab's Actions menu, select Expand log data. All the log entries from your search are fully expanded, without having to click the down arrow ( Logging down arrow ) for each one. To reverse this state, select Collapse log data to close every entry simultaneously.

To wrap or unwrap lines

From the Explore tab's Actions menu, select Wrap lines. The Wrap lines option allows you to view each entry's data with line wrapping. Select Unwrap lines to undo. The Wrap lines feature also works when you are viewing an expanded log entry in JSON view.

To switch between JSON and Before & After view

On the Explore tab, click the down arrow ( Logging down arrow ) to expand the log entry and click JSON.

The JSON view is displayed. Click the Before & After tab to switch to its view.

To examine Before & After view

On the Explore tab, click the down arrow ( Logging down arrow ) to expand the log entry and click Before & After.

The Before & After view is displayed. In contrast to the entry labeled as Current, this view displays the preceding and successive logging lines in the log object. Click Show newer entries or Show older entries to view extra corresponding newer or older entries in the Before & After view.

View more options for log entry rows and fields in JSON view

On the Explore tab, each entry has three interactive header columns, which correspond to: the log timestamp (datetime), the plugin where the log occurred (type), and the log message (data.message).

You can interact with and customize the log entry view whether a log entry is collapsed or expanded.

When clicking a collapsed entry, click one of the log entry columns to open a context-sensitive menu for that entry and the column header. The following options are shown:

Copy value
Filter matching
Note

Not available for the data.message column of an open or closed log entry.
Filter not matching
Note

Not available for the data.message column of an open or closed log entry.
Remove from summary view
Note

This option does not apply to the first default column (datetime). It is only available for new fields you add to the Explore tab's summary view, or the type and data.message columns which you can also remove.

For an expanded log entry with the JSON view visible, you can click a log field to access the following options:

Copy value
Filter matching
Filter not matching
Add to summary view

Note

These options are also available on the JSON tab of an opened Before & After view.

When selecting Add to summary view for a particular field, the field is added to the Explore tab view, to the right of the first three default columns (datetime, type, data.message). For example, if you click "logContent" and select Add to summary view, a new logContent column is added, just after data.message.

To manage and add log fields

From the Explore tab's Actions menu, select Manage log fields. The Manage log fields panel opens. Select the fields you want to add to the Explore tab and click Apply. The Explore tab reloads and appends the new fields to the right of the first three default fields (datetime, type, data.message). You can remove any added fields by clicking the X icon in the column header, which reloads the tab to display the results without the additional fields. The type and data.message columns can also be removed, so you can potentially add nine other log fields of interest, for a total of 10 columns that can be displayed in the Explore tab results. The datetime column cannot be removed.

Note

If you are managing and adding log fields in Basic Mode search and then switch to Advanced Mode, column header selections are still maintained, even as you type an advanced query.

To export log data

From the Explore tab's Actions menu, select Export log data (JSON). This feature allows you to export the log data to a JSON file that you can save to your system.

Visualizing Search Results

You can visualize your Logging Search page results, for both Basic and Advanced Mode searches.

To visualize log data as a chart in Basic Search

You can view log data graphically as a chart in Basic Mode search, along with accompanying tabular data.

Select from the following chart settings:

Visualization Type: Select from Stacked Bar, Pie, Donut, or Line. The Stacked Bar and Line charts are organized by default in terms of time (UTC) on the X-axis (datetime), and the chosen Group By logging field. You can hover the mouse over the chart data, which both highlights the area of interest, and displays the data in a tool tip. The Legend in all four chart types also provides an orientation to the displayed chart data.
X Axis (stacked bar and line charts only): Select a logging field of interest to replace the default Time in UTC X-axis.
Interval (only for stacked bar and line charts, and when datetime is the X Axis): Select from 1 minute, 5 minutes, 15 minutes, 30 minutes, or 1 hour.
Group By: Select a logging field to group the results by.

For any chart type being viewed, you can click to expand the <number of> records found list below the chart, which lists the total record sum, and the number of records at each time interval.

To visualize log data as a chart in Advanced Search

Searches can also be visualized during Advanced Mode search. When an advanced query is formulated according to a specific syntax format, the Visualize tab is also available in Advanced Mode, allowing you to view stacked bar, pie, donut, and line charts.

To view charts in Advanced Mode, create your queries using the following syntax:

Stacked Bar:
```
summarize count() by <user_selected_field1>,<user_selected_field2(optional)>
```
This query returns a table with three columns: <user_selected_field1>,<user_selected_field2>, and count. The chart uses <user_selected_field1> as the x-axis, count for the y-axis, and <user_selected_field2> for the stacked bar group by dimension.
Pie:
```
select <log_source> | summarize count() by <user_selected_field>
```
This query returns a table with two columns: <user_selected_field> and count. The chart uses <user_selected_field> as the legend, and count for the distribution of the pie chart.
Donut:
```
summarize count() by <user_selected_field>
```
This query returns a table with two columns: <user_selected_field> and count. The chart uses <user_selected_field> as the legend, and count for the distribution of the donut chart.
Line:
```
summarize count() by <user_selected_field1>,<user_selected_field2(optional)>
```
The query returns a table with three columns: <user_selected_field1>,<user_selected_field2>, and count. The chart uses <user_selected_field1> as the x-axis, count for the y-axis, and <user_selected_field2> for multiple lines group by dimension.