Issues Visualization

Issues visualization helps you to identify new issues in your logs in the selected time range. These are the issues found in the selected time range but are not present in the baseline time range, typically last 12 hours, specified for the analysis.

Issues visualization analyzes the logs in the following order:

  1. It creates clusters of log records by grouping similar log records. To know more about clustering, see Clusters Visualization.

  2. The clusters that are common in both the time ranges are removed.

    Next, it applies the cluster compare utility to draw the comparison between the unique clusters in the two time ranges. For more information on how cluster compare works, see Use Cluster Compare Utility and clustercompare.

  3. In the remaining log records, only those that have keywords related to issues like error or exception, or labels related to issues are displayed. You can customize your sources to add new labels and problem priority indication to your logs using the label definitions in the source. See Use Labels in Sources.

Baseline time: This is the time range that best groups the typical set of logs that your system would generate. Select the time range that captures the entire cycle of log generation, for example, 8 hours, 12 hours, 1 day, or 5 days. Longer baseline range may result in longer time to run the query.

Time range for analysis: This is the time range that has the logs of your interest for analysis. Use the time selector to identify this range.

How is the comparison scope identified: Based on your selection of the baseline time and the time range of the logs for analysis, first the time range for analysis is fixed. Next, the baseline range is located to precede the time range of analysis.

For example, If you select the analysis time range as Last 60 minutes, and the baseline range as 12 hours, then:

|=================================|========================|
      Baseline Time Range         |   Analysis Time Range   
 12 hours before Last 60 minutes  |    Last 60 minutes  
Example:  8AM - 8PM Today         |    8PM - 9PM Today
  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  2. Filter the logs for suitable fields and specifications. For example, Kubernetes Container Generic Logs.
  3. From the Visualize panel, select Issues (Issues icon).
  4. Select the time range of the logs for analysis from the time selector. For example, Last 60 minutes.
  5. Select the baseline time range. From the Options menu, click Search options, and select the time range in hours or days from the menu. For example 1 day.

    You can now view the issues analysis of your logs for the selected time range:


    Issues visualization for Linux Secure Logs

    In the above example, 1 new issue is found. Expand the row in the table to view the histogram. The cluster sample provides the sample log record from the log message signature for the cluster in which the issue is detected.

    In addition to new issues, you can also know about the New Outliers found in the selected set of logs. Outliers are the log records that occurred only once in the current range and not occurred in the baseline. An outlier may or may not be an issue.

    The visualization summarizes the number of log records used in the analysis, total number of unique clusters identified, and the number of log sources in which issues were detected.

    By default, the Show Issues option is selected for the table. You can select Show Outliers to view the details of the outliers found in the clusters.

  6. Optionally, from the Options menu, click Display Options to customize your view of the Issues visualization. This can help while using the visualization in a dashboard to optimize the view.
  7. To further analyze the issues and outliers, in the clusters table, right click the value of the Count in the row corresponding to the cluster sample of interest, and open it in a new window or tab.