Logs List¶
The log explorer is one of the core tools for your log analysis and troubleshooting. Facing the massive amount of log data collected and reported by Guance, you can achieve efficient management of log information through multiple operations such as searching, filtering, and exporting.
View Modes¶
The explorer list page supports two view modes.
All Logs¶
View and analyze based on the raw log data collected.
Cluster Analysis¶
The log explorer provides an efficient clustering function, performing similarity analysis on logs based on the message field and automatically displaying the most recent 50 logs.
You can also customize the clustering fields. After selecting a time range in the time widget, the system will analyze 10,000 logs within that period and aggregate similar entries.
In the cluster analysis list, you can manage the data through the following actions:
-
Click & to sort by document count (default descending order);
-
Click , choose to display 1 line, 3 lines, 10 lines, or all content.
-
Click , export all clustered log data.
Quick Filters¶
For more details, refer to Filters.
Display Items¶
In the Stacked Mode > Display Items page, two parts of fields are shown:
- Filter Fields: These are the fields displayed in the quick filter;
- Optional Fields: These are all fields cached for the current data type.
You can perform the following actions:
- Search for fields; if there is no exact match in the query results, you can directly create and add them to "Filter Fields";
- Edit field aliases;
- Drag to adjust field order;
- Delete fields;
- Set whether to display field aliases.
Status Distribution Chart¶
Based on the selected time range, the system automatically divides into multiple time points and displays the quantity of different log statuses in the form of stacked bar charts, assisting with efficient statistical analysis. When filtering logs, the bar chart will synchronize and display the filtered results in real-time.
- You can hover over and export the chart, eventually exporting it to dashboards, notes, or copying it to the clipboard;
- Customize the time interval selection.
Log Index¶
By setting up Multiple Log Indices, logs that meet the conditions are stored in different indices, and appropriate data storage strategies are selected for each index, effectively saving log data storage costs.
After setup, you can easily switch between different indices in the viewer to view corresponding log contents.
Search and Filtering¶
In the search bar of the log explorer, various search and filtering methods are supported.
After entering search or filter conditions, you can preview the effect and copy the condition for use in charts or query tools.
Manual Configuration Mode¶
Click the toggle button on the right side of the search box to enter manual input query mode.
JSON Field Return¶
Note
This feature is only applicable to user roles with DQL query permissions.
DQL queries support extracting nested values from JSON fields in log data. You just need to add a field path with the @ symbol in the DQL query statement, and the system will automatically recognize this configuration and display the extracted value as an independent field in the query result. For example:
- Normal Query:
- Expected Query after Extracting Nested Fields:
In the log explorer, if you want to specify viewing extracted values from the JSON text of each log's message in the data list, add a field in the format @targer_fieldname in the display columns. As shown below, we added the @fail_reason configured in the DQL query statement to the display columns:
Create Monitors¶
When filtering log data, if you need to further alert and monitor the filtered results, you can set up monitors with one click. The system will automatically apply the selected index, data source, and search conditions, simplifying the configuration process.
Note
- If another workspace is selected in the upper-left corner of the log explorer, the search conditions will not be synchronized to the monitor configuration page, which will default to being cleared.
- In the standard commercial edition, the site-level
left*query function is enabled by default. You only need to enable theleft*query at the workspace level to support theleft*query for monitors. For deployment editions, you can independently enable or disable the site-levelleft*query. Only when both the site-level and workspace-levelleft*queries are enabled can the monitor performleft*queries. Otherwise, if the log explorer configures aleft*query, an error may occur when switching to the monitor configuration page.
Copy as cURL¶
In the log explorer, you can obtain log data via command-line interface. In the Settings on the right side of the log data list, click the Copy as cURL button to copy the corresponding cURL command. Pasting this command into the host terminal and executing it will retrieve log data that meets the filtering and search criteria for the current time period.
Example
After copying the cURL command line, as shown in the figure below: Replace <Endpoint> with the domain name, and replace <DF-API-KEY> with the Key ID from API Management.
For more parameter descriptions, refer to DQL Data Query.
For more information about APIs, refer to Open API.
curl '<Endpoint>/api/v1/df/query_data?search_after=\[1680226330509,8572,"L_1680226330509_cgj4hqbrhi85kl1m6os0"\]&queries_body=%7B%22queries%22:\[%7B%22uuid%22:%222eb41760-cf6e-11ed-a983-7d559044c3fc%22,%22qtype%22:%22dql%22,%22query%22:%7B%22q%22:%22L::re(%60.*%60):(%60*%60)%7B+%60index%60+IN+\[%27default%27\]+%7D%22,%22highlight%22:true,%22limit%22:50,%22orderby%22:\[%7B%22time%22:%22desc%22%7D\],%22_funcList%22:\[\],%22funcList%22:\[\],%22disableMultipleField%22:false,%22disable_slimit%22:false,%22is_optimized%22:true,%22offset%22:0,%22search_after%22:\[1680226330509,8572,%22L_1680226330509_cgj4hqbrhi85kl1m6os0%22\],%22timeRange%22:\[1680187562081,1680230762081\],%22tz%22:%22Asia%2FShanghai%22%7D%7D\]%7D' \
- H 'DF-API-KEY: <DF-API-KEY>' \
- -compressed \
- -insecure
Note
Only Standard Members and Above can perform the copy command-line operation.
In addition to this export path, you can also use other log data export methods.
Set Status Colors¶
The system has pre-set default colors for status values. If you need to customize the colors displayed for different statuses in the explorer, click Set Status Color to modify.
Formatting Configuration¶
Note
Only administrators and above can configure formatting for explorers.
Through formatting configuration, you can hide sensitive log content, highlight important log content, or quickly filter by replacing log content.
- Click Settings in the upper-right corner of the explorer list;
- Click Formatting Configuration;
-
Add mapping rules, input the following content, and save:
- Field: Specify the log field (such as
content). - Matching Method: Select the matching method (currently supports =, !=, match, not match).
- Match Content: Input the content to be matched (such as DEBUG).
- Display As Content: Input the replacement display content (such as **).
- Field: Specify the log field (such as
Export Log Data¶
In logs, you can first filter out the required data, then export it as CSV, JSONL files, or export it to dashboards and notes.
If you need to export a specific log, open the log detail page and click in the upper-right corner.
Highlight Log Colors¶
To help quickly locate key information in logs, the system uses color highlights to display log content. When entering keywords in the search bar, only the matched keywords are highlighted.
Single-Line Log Expansion and Copy¶
-
Click the button in the log entry to view the complete content of the log. If the log supports JSON format, it will be displayed in JSON format; otherwise, it will show the normal content.
-
Click the button to copy the entire log content to the clipboard.
Multi-Line Log Browsing¶
In the log data list, the trigger time and content of each log are displayed by default. You can go to Explorer > Display Columns, and choose to display "1 Line", "3 Lines", "10 Lines", or "All Content" to view complete log information.
