Filter Logs by Pinned Attributes and Fields

You can also filter data by using the log sources and the fields in the log messages.

The Pinned attributes let you filter log data based on:
- Log sources, such as database logs, Oracle WebLogic Server logs, and so on.
- Log entities, which are the actual log file names.
- Labels, which are tags added to log entries when log entries match specific defined conditions. See Use Labels in Log Sources.
- Upload names of log data uploaded on demand. See Upload Logs to Oracle Log Analytics on Demand.
By default, the entities and collection details are available in the Pinned bucket of the Fields panel for filtering. You can pin additional fields to the Pinned bucket depending on your usage. Once pinned, the fields are moved to the Pinned bucket. You can unpin any field and remove it from the Pinned bucket and move it back to the Interesting or Other bucket.
Based on your search and queries, Oracle Log Analytics automatically adds fields to the Interesting bucket for your quick reference. You can pin a field that’s available under Interesting bucket. The pinned field then gets moved to the Pinned bucket.
You can pin any field in the Other bucket and move it to the Pinned bucket. If you use a field from the Other bucket in your search or query, then it’s moved to the Interesting bucket.

Topics:

Filter Logs by Source Attributes

In the Fields panel of Oracle Log Analytics, you can use the Log Source field to filter logs by the source attributes such as log source and log entities.

For example, to search for logs for a particular log source, such as Database Listener Alert Logs:

From Oracle Log Analytics, in the Pinned section, click Log Source.
In the Log Source dialog box, select Database Listener Alert Logs and click Apply.
Note:
- In the Log Source dialog box, you can see the occurrence trend for the available log sources in the form of sparklines. The sparklines show when the log entries corresponding to the available log sources are generated based on the time range selected in the time selector on the top right corner of the dialog box.
- You can select all the listed items by selecting the checkbox in the header pane on the top left.

Filter Logs by Labels

The labels representing the problem conditions such as deadlock situation, memory issue, stuck thread, connection issue, abnormal termination and so on are added to the log sources that conform to any of the problem conditions. So, you can filter the logs by specifying the label for the problem condition that you’re looking for.

In the Fields panel of Oracle Log Analytics, you can use the Label field to filter log data by data labels.

In Oracle Log Analytics, from the Visualize panel, select Records with Histogram.
From the Pinned section, click Label.
In the Label dialog box, select the label that you want to analyze, such as CriticalError, and click Apply.
Note:
- In the Label dialog box, you can see the occurrence trend for the available labels in the form of sparklines. The sparklines show when the log entries corresponding to the available labels are generated based on the time range selected in the time selector on the top right corner of the dialog box.
- You can select all the listed items by selecting the checkbox in the header pane on the top left corner of the dialog box.
From the Pinned section of the Fields panel, drag and drop Label to the Display Fields section of the Visualize panel.

Oracle Log Analytics displays all the log entries pertaining to the selected label.

Filter Logs by Data Uploaded on Demand

In the Fields panel of Oracle Log Analytics, you can use the Upload Name field to filter log data by data uploaded on demand.

For example, to search for uploaded log data for Microsoft SQL Server errors:

Ensure that you’ve uploaded your on-demand log data as specified in Upload Logs to Oracle Log Analytics on Demand.
In Oracle Log Analytics, from the Visualize panel, select Records with Histogram.
From the Pinned section of the Fields panel, click Upload Name.
In the Upload Name dialog box, select the entry that you want to analyze (for example, MicrosoftSQLServer_ErrorLog), and click Apply.
Note:
- In the Upload Name dialog box, you can see the occurrence trend for the available uploads in the form of sparklines. The sparklines show when the log entries corresponding to the available uploads are generated based on the time range selected in the time selector on the top right corner of the dialog box.
- You can select all the listed items by selecting the checkbox in the header pane on the top left.

Oracle Log Analytics displays all the log entries for the on-demand upload name.

Filter Logs by Fields in Log Messages

You can search logs by using fields in the Fields panel.

The Fields panel of Oracle Log Analytics lists the field attributes based on which you can filter log data.

For example, to filter only those logs where the entity type is Oracle WebLogic Server, and the values of the field attribute Severity are ERROR and NOTIFICATION:

From Oracle Log Analytics, in the Fields panel, click Entity Type.
In the Entity Type dialog box, select Oracle WebLogic Server and click Submit.
In the Fields panel, click Severity.
In the Severity dialog box, select ERROR and NOTIFICATION, and click Submit.
In the selected <field name> dialog box, you can see the occurrence trend for the available field value in the form of sparklines. The sparklines will show when the log entries corresponding to the available field values got generated based on the time range chosen in the time selector on the top right corner of the dialog box.
You can select all the listed items by selecting the checkbox in the header pane on the top left corner of the dialog box.

Note:

Fields, such as Message, which has too many large or distinct values are not eligible to be filtered using the Fields panel. See List of Non-Facetable Fields for the fields that can’t be filtered using the Fields panel.

If you try to filter such fields, Oracle Log Analytics displays a message that values for the selected field can’t be displayed.

However, you can add any such field to the Display Fields section.
From the Fields panel, drag the Severity attribute and drop the attribute in the Display Fields section in the Visualize panel.

Rename a Field

You can use the rename command to rename one or more fields.

By renaming system-defined fields, you can control the names of the fields at the time of generating reports. See Rename Command in Using Oracle Log Analytics Search.

For example, to rename the Host IP Address (Client) field to clientip, in the Search field of Oracle Log Analytics, you need to enter the following command and press Enter:

* | rename 'Host IP Address (Client)' as clientip

Note:

Renaming is only a runtime operation, and it doesn’t affect the underlying data storage.

Filter Logs by Field Range

For the fields with numerical values, you can use the bucket option to group the log records into buckets based on the range of values of a field. The resultant popup window displays the counts and sparkline based on the range buckets instead of distinct values.

Click the Actions () icon next to the field.
The dialog box displays the following options:
- Filter: To display distinct individual values of the field
- Bucket: To display the ranges of the field
Select Bucket.

In the dialog box, you can see the occurrence count for the field in the form of ranges.

When the selected field is rendered in the visualizations such as the pie chart, bar chart, or treemap, the trend will be based on the value ranges and not the distinct individual values.

Filter Logs by Hash Mask

You can use md5 function in your queries or with where and eval commands to filter the log data that has the hash masked data.

Typically, when you create a log source and define hash masks to mask specific fields, then the resultant log data will have the hash of the fields that you can use for filtering. To extract those log records that contain the hash masked information of the fields, use the md5 function in your queries or with where and eval commands.

For example, consider the following log data:

Jul 1,2018 23:43:23 severe jack User logged in
Jul 2,2018 02:43:12 warning jack User logged out
Jul 2,2018 05:23:43 info jane User logged in

When the user name information is hash masked, then the log records will be as follows:

Jul 1,2018 23:43:23 severe 241fcf33eaa2ea61285f36559116cbad User logged in
Jul 2,2018 02:43:12 warning 241fcf33eaa2ea61285f36559116cbad User logged out
Jul 2,2018 05:23:43 info 8fb2f1187c72aab28236d54f0193a203 User logged in

The users jack and jane will have the following hash values:

241fcf33eaa2ea61285f36559116cbad
8fb2f1187c72aab28236d54f0193a203

Use md5 function in your search query: Specify the query * | md5(jack) to filter the hash masked records corresponding to the user jack.
Use the hash with where and eval commands: To extract the log records corresponding to the user jack, you can use the hash of the user name in the search string * | where user = "241fcf33eaa2ea61285f36559116cbad".
Use md5 function with where and eval commands: You can avoid using the hash for the specific user name, and instead, specify the hash mask used. For example, to extract the log records corresponding to the user jack, you can provide the search string * where | user = md5("jack") .

Filter Logs by Annotations

If you've annotated some of the log records for easy identification or for reuse, then you can filter the logs using those annotations.

By retrieving the annotated log records, you can compare them with a new set of log records when they have similar pattern or to help resolve an issue.

From Oracle Log Analytics, in the Pinned section, click Annotation Identifier.
In the Annotation Identifier dialog box, select the specific identifier.
If you want to view all the log records that have annotations associated with them, then select all the identifiers.

Click Apply.

The log records with the selected annotation are displayed.