Search patterns in log data and parse results

Log files typically contain a lot of text. One way to handle a large amount of text is to group similar log entries together and parse them. The Log Viewer enables you to present raw log data in a sortable, filterable table format that is easy to work with.

Use the Log Viewer to browse through the contents of individual process log files or search selected log files using keywords. Only hosts or process groups active during the selected time frame are shown. Log results can be returned in either raw or aggregated form. You can parse the result table and narrow down the text pattern search result, show and hide specific columns, and define your own custom columns.

Bookmarks

Use a bookmark to save and reuse your search queries and filters. Any changes you make during your log analysis (log parsing and column filtering) will be saved within the bookmark. Using bookmarks, you can return to the same settings later, but with the default time frame.

Sharing log analysis differs from bookmarks. The share link includes the selected time frame, so the person who receives the link sees exactly what you want to share in the time frame that you selected.

Search for text patterns in log files

To search log files for a text pattern, select the logs based on the host or process groups perspective, then search for a text pattern using the DESK search query language (or leave the query box empty to return all results).

Using combinations of keywords, phrases, logical operators, and parentheses, the DESK search query language provides you with complete flexibility over searches through important process-log content.

Show me everything

To return all results, leave the query box blank.

Text pattern query syntax

You can click or highlight sections or elements of the displayed log content to create or modify the text pattern search query. Click Display log to display the selected logs again.

Category	Description	Example
Single‑word terms	Single-word searches help you find individual word occurrences. Searches are case-insensitive. Searched words in log files are defined as strings between any non-alphanumerical or white space character. For example, querying the string `error` matches both `abc/error/def` and `error.html`	`error`
Phrases	Phrases are groups of words surrounded by double quotes. Phrases are treated just like single-word terms in queries. When a search phrase consists only of alphanumeric characters `[a-zA-Z0-9]`, then the query is in fact a single-word term query, so the double quotes `" "` can be omitted. You can NOT include any Boolean operators, wildcards, or groupings (see below) inside quoted phrases. Any character included within quotation marks is searched literally. For example, `"what?"` returns a match for `what?` but not for `whats`.	`"memory fault"` `"cat and dog"`
Boolean operators	Operators can be written in either uppercase or lowercase: `AND`, `&&` Log entry matches when it contains both surrounding strings. `OR`, `\|\|` Log entry matches when it contains at least one of the surrounding strings. `NOT` Log entry matches when it DOES NOT contain a string after `NOT`. The logical operator `AND` is automatically inserted between single-word terms that are not surrounded by parentheses. For example, `test failed` is equal to `test AND failed`. Precedence: `NOT`, `AND`, `OR`	`test AND failed` `error OR failure` `NOT passed`
Grouping	Parentheses `( )` can be used to group clauses into sub-queries.	`(black OR red) AND label`
Wildcards	Wildcards can be used to represent a variable or unknown alphanumeric characters in search terms. An asterisk `` can be used to represent any string composed of alphanumeric characters. A question mark `?` can be used to represent any single alphanumeric character. Note: Single-character wildcard queries `` or `?` are not allowed.	`Start` `down` `ex*ed` `HTTP50?` `Imp???ible`

Sample queries

Error AND Module1?2

"Connection refused" OR Timeout

Procedure AND (started OR stopped)

Exception AND NOT repeat*

Free tier

Note that not all parsing and filtering options are available with the free tier of Log Monitoring. Some analysis tools may not be available in your Log viewer.
See What data storage advantages does upgraded Log Monitoring provide?

Column display

You can click on the Configure column display and apply a filter to the text pattern search, add custom columns, and show or hide any columns (including any custom columns you have added).

By default, the _Content column is set to show. Other automatically detected columns are set to show if the number of entries containing a value is high enough. If multiple columns have the same number of entries containing a value, the columns that appear higher on the columns list take precedence.

Parsing method

Early Adopter

automatic
DESK will read the log content and automatically determine the structure of the log, the type of data it contains, and how to present the results in columns. If more than 50 columns are detected, the displayed results will contain the 50 columns with the highest values count.
JSON
DESK will read the content of selected logs, determine the structure of the log, and present the results in columns only for logs that contain JSON-format data. Each automatically parsed column will represent a JSON field detected in the log entry.
none
The results reflect the actual log-file content.

Too many columns

If more than 50 columns are detected, the displayed results will contain the 50 columns with the highest values count.

Custom columns

Early Adopter

You can add, hide, or remove a custom column in your log display. Each column name must be unique. Don't use the name of any automatically detected column or repeat a custom column name you already used.

To indicate the section of a log entry that should be listed in your new column, type in the prefix and suffix, and select the type of value that you want to list in the custom column.

The matching value will be treated as the type you indicated. A text value is treated as text even when the value is a number. A number is used for general display of numbers (positive and negative). This is important for sorting purposes.

Example for creating a custom cron sessions column

In this example, we have already selected a log file and searched for the CRON text pattern.

Click Configure column display and leave the default parsing method (automatic).

Click Add custom column, type in the column name (cron sessions) and value prefix ((cron:session):).
You can leave the suffix empty, as we want the rest of the line shown in the column, and make sure that the value type is set to text (string).

Click Add custom column to accept your column configuration.

You newly added custom column will be listed along with default columns. You can show, hide, delete, and edit your custom column. Click Details for your new column to view the top values. In this case, you can easily see the number of opened and closed sessions.

Column values filter

Early Adopter

You can apply a filter to the results of the text-pattern search, but only to the columns that are not restricted (_Source, _Timestamp, _Content). Apply the filter to all manual and automatically parsed columns. Both column names and values used in the filter are case sensitive.

Every column contains a value of a specific type: text (string), number (integer), number (decimal), or Boolean true/false. Depending on the value type, the syntax of your filter can vary. For example, if the column is a number (integer) type and you assign a different value type (string, decimal, or true/false) in your filter, you will generate a parsing error.

Column names containing special characters (including spaces) must be enclosed in backticks.
For example:
```
`integer Column # 2` = 20
```
Filtered values containing quotation marks must be enclosed in double quotation marks.
For example, the value path "test" error should be entered in the filter as:
```
expath = "path ""test"" error"
```
Column values where the sum of the column name and value length exceeds 8191 characters are shortened with an ellipsis.

Bookmarks

An invalid column filter query will not be applied to already saved or shared bookmarks.

Filtering Syntax

Category	Description	Example
Boolean	Boolean value. Wildcards aren't accepted for Boolean values. (true or false)	`columnName = false` `columnName = true`
Number	Number value, can be integer or decimal. Only `.` (period) floating point is supported and numbers must be presented without any spaces or other separators. Number range for available types: integer [-9,223,372,036,854,775,808 to 9,223,372,036,854,775,807] decimal [±3.40282347E+38F] (6-7 significant decimal digits) Wildcards aren't accepted for number type.	`columnName = 5` `columnName = 5.005`
Phrase	Group of words surrounded by double quotes. Treated in search like a single word. Wildcards accepted inside the parentheses.	`columnName = "memory fault"` `columnName = "cat and dog"`
Wildcard	Substitutes part of a single word term. Possible special characters: `?` – represents a single character `*` – represents 0 (zero) or more characters Wildcards aren't accepted for numbers and Boolean operators.	`columnName = "INF"` `columnName = "WA?NING"` `columnName = "?INF"` `columnName = "* and *"`
Operator	AND - surrounding terms must exist OR - one of the surrounding terms must exist NOT - succeeding term or phrase must not exist	`columnName-A = "test" AND columnName-B < 200` `columnName-A = true OR columnName-B > 50` `NOT columnName-B = 200`
Comparison	> (greater than) < (less than) >= (greater than or equal) <= (less than or equal) != (not equal to) = (equal to) BETWEEN (range to test) The AND operator must be present in this statement.	`integerColumn > 5` `integerColumn < 5` `integerColumn >= 5` `integerColumn <= 5` `integerColumn != 5` `integerColumn = 5` `integerColumn BETWEEN 9210084 AND 11420982`
Group	Parentheses ( ) group clauses to form sub-queries	`(columnName = "black" OR columnName = "red") AND columnName = "label"`

Top N occurrences

Early Adopter

Click on any column name to view the top 10 values with the most occurrences within that column. The value occurrence percentage is in relation to the result based on the column filter.

For example, if you Include in the filter only one value for a particular column, the occurrence of that value in that column will be 100%.

other
The remainder of the filtered values that do not qualify for the top 10 most occurring values within the column.
(blanks)
A count of the filtered log records that contain no value in the selected column.

Use the Include and Exclude buttons to add or subtract the value in the column filter syntax. Click Apply to update the filter result.

If you Include the value in the filter, the result will display only the selected (included) values. If you Exclude the value in the filter, the result will display all values except the ones you have excluded in the filter. You can include and exclude multiple values in one filter.

Show me everything again

To reset the filter, clear the filter syntax and click Apply.

Bookmarks

Share links

Search for text patterns in log files

Sample queries

Column display

Parsing method

Custom columns

Column values filter

Top N occurrences