1. Using Oracle Log Analytics
  2. Use Oracle Log Analytics
  3. Save and Share Log Searches

10 Save and Share Log Searches

After you create and execute a search query, you can save and share your log searches as a widget for further reuse. If you’ve created the widget based on a fixed time range, then every time that you open the widget, it will show the results for the time range that you specified in the search. If you’ve created the widget for a relative time range (say the last 7 days), then every time that you open the widget, it will show the up-to-date results as per the time selector (Last 7 days).

Using saved searches, other users can also access the search query.

Topics:

Save a Search and Add It to a Dashboard

After you've entered a search query and displayed the results in a chart, to save the search as a widget:

  1. Click Save.

  2. Enter the name and description of the widget.

    You can now add this widget to a custom dashboard. See Create Custom Dashboards.

    You can view the number of saved searches in your Oracle Log Analytics instance from the Configuration page.

    You can also save your search directly to a dashboard. After you've entered a search query and displayed the results in a chart, to save the search to a dashboard:

    1. Click Save.

    2. Click the Add to dashboard check box.

    3. In the Dashboard field, click the down arrow, and select the name of the dashboard to which you want to save the search. If you want to save the search to a new dashboard, then select New Dashboard and enter the name of the new dashboard.

      Click Save.

    You can now access the saved search from the specified dashboard.

    From Oracle Log Analytics, click the OMC Navigation (open menu icon) icon on the top left corner of the interface.

    In the OMC Navigation bar, click Administration Home.

    Clicking the count of saved searches link displays the Saved Searches page where you can view the list of built-in and custom saved searches. The built-in saved searches are represented with gear icons and the custom ones are represented with human icons.

    Click the Action icon next to a saved search entry to display the following menu options:

    • Delete: Lets you delete a custom saved search. A built-in search can’t be deleted. In the case of a built-in search, the Delete option is grayed out (disabled).

    • View in Log Explorer: Lets you open the saved search in the Oracle Log Analytics Explorer view.

    • Accelerate Search: Allows you to accelerate the selected search.

      When you save a query as a saved search and enable accelerated search, the query is executed in the back-end periodically and the result is stored. This helps in retrieving the query result for the query's time range in lesser execution time than usual. However, if the saved result data is not accessed for a long time, then the data is deleted for storage optimization.

    • Show Query: Displays the query used for the search. You can additionally copy the query to the clipboard.

Create Alerts for Saved Searches

You can create alert rules based on saved searches by specifying the threshold, time range, and recipient of the email notification. When the search criteria meets the threshold value over the specified time interval, an alert is generated and an email notification is sent to the specified recipient.

For example, you want your system administrator to be notified with a warning or critical email about any of your monitored targets throwing the ORA-0600 error message more than three to five times in the past seven days. To do this, you save your search and set an alert rule for it.

  1. In Oracle Log Analytics, in the Search field, enter the following: 

    ORA-0600 | stats count by Target

  2. From the Search Dates list, select Last 7 Days and click Run.

  3. Click Save.

  4. In the Save Search dialog box, enter the search name.

    You can click Add Search Description and enter an optional description for the search.

  5. Click Create alert rule.

    In the Rule Name field, enter a rule name.

    You can click Add Rule Description and enter an optional description for the rule.

  6. For Condition Type, select Fixed Threshold or Anomaly.

    The anomaly based alert rule will be automatically enabled after the data is collected for 30 intervals.

    You can save a maximum of 50 scheduled alerts.

  7. For Operator, select >, for Warning Threshold, enter 3, and for Critical Threshold, enter 5.

  8. For Schedule Interval, specify 7 days.

    You can select Every Hour, Every Day, Every Week or a Custom setting for any value between 15 minutes to 21 days as the Schedule Interval. Your saved search runs automatically based on the interval that you specify.

    If you select Every Hour, then you can optionally specify to exclude Weekend or Non-business hours from the schedule.

    If you select Every Day, then you can optionally specify to Exclude Weekend from the schedule.

  9. If you want to customize your alert message, then under Customize Message Format, select Use custom message. You can customize any or all of the messages available under this section. For details, see Step 8 in Create An Alert Rule.

  10. In Notifications, specify the recipients of the alert notifications and in Remediation Action, select the action that must be performed automatically in response to an alert. For details, see Step 9 and Step 10 in Create An Alert Rule.

  11. Click Save.

Over a period of 21 days, whenever any of your monitored entities throws the ORA-0600 error more than the specified threshold value, an email will be sent to the specified recipient listing each entity (along with the count of the error) that crossed the threshold. The email also includes a link to the Oracle Log Analytics user interface. Clicking the link takes you to the search results for the specific time range when this alert was triggered.

Create a Saved Search from an Existing One

Use the Save As option to customize a built-in or custom saved search.

  1. In Oracle Log Analytics, click Open.

  2. In the Open dialog box, select the saved search that you want to modify and click Open.

  3. Update the search criteria based on your requirement, click the Save list, and select Save As.

  4. In the Save Search dialog box, enter a name for the updated search. Optionally, you can create an alert for the new search.

  5. Click Save.

The new search now appears in your list of saved searches.

Note:

The Save option is disabled for a built-in search, and you can perform a Save As operation only to save the updated, built-in search as a new one.

Create Alerts for Existing Saved Searches

  1. In Oracle Log Analytics, click Open.

  2. In the Open dialog box, search for the saved widget, such as ORA-0600 by Target, select the widget, and click Open.

  3. Click Alert Rules (alert rule icon).

  4. In the Alert Rules dialog box, click Create Alert Rule.

    The Create Alert Rule dialog box is displayed. Because you’re creating the alert for an existing search, in the Create Alert Rule dialog box, the search name and the search description are populated with the values that you provided when you saved the search.

  5. Enter the rule name.

  6. Specify the rule details. See Steps 6 through Step 10 in Create Alerts for Saved Searches.

View Saved Search Anomaly Alerts and Baseline Charts

  1. From Oracle Log Analytics, click the OMC Navigation (open menu icon) icon on the top left corner of the interface. In the OMC Navigation bar, click Alerts.

    You can view the list of alerts with details such as Severity, Message, Entity, Entity Type, Last Updated, and Duration.

  2. Click the message corresponding to the anomaly alert that you’ve set.

    You can view the alert details.

  3. Click View more details.

    The interface displays Alert History and Trend Graph for the anomaly alert that you selected. The graph displays the anomalies detected and the baseline for the recorded data.


    Description of viewing_anomaly_alerts.png follows
    Description of the illustration viewing_anomaly_alerts.png

    • To view the trend graph corresponding to the entity of your choice, click the View list, and select the entity.

    • To view the alert rule, click the link adjacent to Associated Rule.

    • To return to Oracle Log Analytics, click the name of the saved search on the top left corner of the interface.

Associate Saved Search Alerts with Entities

Typically, saved search alerts are associated with the saved search entity type. However, to trigger actions on entities in response to the alerts, the alerts must be associated with the specific entities. For example, if an alert is raised on a Linux host entity, then a restart action can be triggered in response to the alert.

To associate a saved search alert with an entity while creating a saved search alert:

  1. Group the log records by target. For example:
    Exception | stats count by target

  2. On the result of the query, apply an Entity Type filter OR an Entity filter. For example, select WebLogic Server entity type.

  3. Click Save.

  4. Enter the name for the saved search alert.

  5. Click the Create alert rule check box.

  6. Enter the rule details and save the search.

You can now view the saved search alert that you created in the alert rules list. The alert is now associated with a specific entity type and not Saved search entity type.

Export the Search Results

Oracle Log Analytics lets you export search results in Comma-separated Values (CSV) or JavaScript Object Notation (JSON) format.

To export search results:
  1. Search for logs for a set of entities. See Search Logs by Entities.
  2. Click Export.
  3. For the file format, select Comma-Separated Values or JavaScript Object Notation.
  4. Enter a name for the file and click Export.
In the case of the Records and Histogram visualizations, the search result based on time, original log content, and all the selected display fields is exported. In the case of Table visualization, the search result based on the time and selected display field is exported. For any other visualization, the results of the query displayed in the selected visualization is exported.