Skip to content

Log Details

Clicking on the log list will pull out the details page of the current log, where you can view detailed information about the log, including the time it was generated, the host, source, service, content, extended fields, and view context among other information.

View Full Log

When logs are reported to Guance, if the data exceeds 1M in size, it will be split according to the 1M standard. For example, a single log of 2.5M will be divided into 3 parts (1M/1M/0.5M). The completeness of the split logs can be checked using the following fields:

Field
Type Description
__truncated_id string Represents the unique identifier for the log; multiple split logs use the same __truncated_id, with an ID prefix of LT_xxx.
__truncated_count number Indicates the total number of split logs.
__truncated_number number Indicates the sequence of the log split, starting from 0, where 0 represents the first part of the log.

On the log details page, if the current log has been split into multiple parts, a View Full Log button will appear in the top-right corner. Clicking this button opens a new page that lists all related logs according to their split order. The selected log will also be highlighted in color to help locate upstream and downstream.

Obsy AI Error Analysis

Guance provides the ability to automatically parse error logs. It uses large models to extract key information from logs and combines them with online search engines and operations knowledge bases to quickly analyze possible causes of failures and provide preliminary solutions.

  1. Filter all logs with status as error;
  2. Click on a single data entry to expand the details page;
  3. Click the Obsy AI Error Analysis in the top-right corner;
  4. Start anomaly analysis.

Error Details

If the current log contains error_stack or error_message field information, the system will provide you with error details related to this log.

To view more log error information, visit Log Error Tracing.

Attribute Fields

Click attribute fields for quick filtering and viewing. You can check hosts, processes, traces, container data related to the logs.

Field Description
Filter field value Add this field to the log Explorer to view all log data related to this field.
Reverse filter field value Add this field to the log Explorer to view all relevant log data except for this field.
Add to display column Add this field to the Explorer list for viewing.
Copy Copy this field to the clipboard.
View related containers View all containers related to this host.
View related processes View all processes related to this host.
View related traces View all traces related to this host.
View related inspections View all inspection data related to this host.

Log Content

  • Log content automatically switches between JSON and text viewing modes based on the message type. If the message field does not exist in the log, the log content section will not be displayed. The log content supports expanding and collapsing, defaulting to expanded state, and collapses to show only one line height.

  • For source:bpf_net_l4_log logs, JSON and packet viewing modes are provided automatically. The packet mode displays client, server, time information, and supports switching between absolute and relative time display, defaulting to absolute time. The configuration after switching is saved in the local browser.

JSON Search

In JSON formatted logs, both key and value can be searched via JSON search. After clicking, the Explorer search bar adds @key:value format for searching.

For multi-level JSON data, use . to represent hierarchical relationships. For example, @key1.key2:value means searching for the value corresponding to key2 under key1.

For more details, refer to JSON Search.

Extended Fields

  • In the search bar, you can input field names or values for quick search and positioning;

  • Check field aliases to view them after the field name;

  • Hover over an extended field, click the dropdown icon, and you can choose to perform the following actions:
    • Filter field values
    • Reverse filter field values
    • Add to display columns
    • Perform dimensional analysis: click to jump to analysis mode > Time Series Chart.
    • Copy

View Context Logs

The context query function of the log service helps trace related records before and after abnormal logs through the timeline, allowing for rapid problem root cause identification.

  • On the log details page, you can directly view the context logs for this data content;
  • The left dropdown box allows you to select an index to filter out corresponding data;
  • Open a new page for context logs.
Relevant Logic Supplementary Understanding

According to the returned data, each scroll loads 50 entries.

How are the returned data queried?

Premise: Does the log have a log_read_lines field? If it exists, follow logic a; otherwise, follow logic b.

a. Get the log_read_lines value of the current log and apply the filter log_read_lines >= {{log_read_lines.value-30}} and log_read_lines <= {{log_read_lines.value +30}}

DQL Example: Current log line number = 1354170

Then:

L::RE(`.*`):(`message`) { `index` = 'default' and `host` = "ip-172-31-204-89.cn-northwest-1" AND `source` = "kodo-log" AND `service` = "kodo-inner" AND `filename` = "0.log" and `log_read_lines` >= 1354140 and `log_read_lines` <= 1354200}  sorder by log_read_lines

b. Get the time of the current log, and calculate the start and end times by moving forward or backward.

  • Start time: move back 5 minutes from the current log time;

  • End time: take the time of the 50th log after the current log (·), if time = current log time, then use time+1 microsecond as the end time, if time ≠ current log time, then use time as the end time.

Context Log Details Page

Click to jump to the details page. You can manage all current data through the following operations:

  • Input text in the search box to search and locate data;
  • Click the side button to switch the system's default automatic line breaks to content overflow mode, at which point each log will be displayed as one line, and you can scroll horizontally as needed to view.

Correlation Analysis

The system supports correlation analysis of log data. Besides error details, extended fields, and context logs, you can comprehensively understand the associated HOSTs, CONTAINERS, NETWORKs, etc.

Built-in Pages

For built-in pages such as HOST, CONTAINER, Pod, etc., you can perform the following operations:

  • (Using the "HOST" built-in page as an example) *

  • Edit the current page display fields, and the system will automatically match corresponding data based on the fields;
  • Choose to jump to the metrics view or HOST details page;
  • Filter time ranges.
Note

Only workspace managers can modify the display fields of built-in pages, and it is recommended to configure common fields. If this page is shared by multiple Explorers, field modifications will take effect in real-time.

For example: Configuring the "index" field here will allow normal display if the field exists in the logs, but if the field is missing in the trace Explorer, the corresponding value will not be displayed.

Built-in Views

In addition to the default views displayed by the system here, user views can also be bound.

  1. Enter the built-in view binding page;
  2. View default associated fields. You can choose to retain or delete fields, and add new key:value fields;
  3. Select the view;
  4. After completing the binding, you can view the bound built-in view in the HOST object details. You can jump to the corresponding built-in view page by clicking the jump button .

Feedback

Is this page helpful? ×