Log List¶

Global Configuration¶

On the Global Configuration page, you can centrally manage the following three core features at the workspace level:

• Quick Filter Configuration: Customize the quick filter panel commonly used within Explorers;
• Top Field Configuration: Configure the fields displayed at the top of each log in stack mode. Indexes without individual configurations will use the global default configuration;
• Index Key Field Configuration: Define the default priority display fields for each index in the data list;
• Query Acceleration Configuration: Enable acceleration for fields under indexes to significantly improve query performance.

Quick Filter¶

The quick filter items configured here will be applied to the quick filter panel on the left side of all Explorers within the workspace and are visible to all members.

All filter fields added here will automatically enable Query Acceleration for their respective indexes to ensure filtering performance. This association is a mandatory default behavior and cannot be turned off.

You can configure two types of fields:

• Filter Fields (currently effective fields)

  • Edit or delete individual fields;
  • Delete all filter fields with one click.

• Optional Fields (including business fields, system fields, others)

  • Add as filter fields

If there are many fields, you can directly search for fields. If the query results do not have a precise matching value, you can directly create and add it to the "Filter Fields".

Empty value (no data) entries in the quick filter are not displayed by default. You can enable this here. After enabling, a "No Data" option will appear at the bottom of each filter group, supporting filtering of data where the field value is empty. This configuration can only be operated by administrators and custom roles with "Global Configuration" permissions.

Global Quick Filter¶

Workspace administrators can uniformly configure global filter items in Manage > Quick Filter. After saving the configuration, all members can refresh or re-enter the Log Explorer to synchronize the latest global filter items.

Global filter items and personal custom filter items are saved independently and do not overwrite each other:

• Administrators adding, editing, adjusting the order, or disabling global filter items will not affect members' existing personal filter items;
• In the quick filter bar, global filter items are displayed before personal filter items by default;
• If a global filter item has the same name as a personal filter item, both will be displayed simultaneously, and the source can be distinguished by the field identifier.

When the global configuration changes, after you refresh the page, the system will prompt "Quick filter has been automatically updated following the global configuration". This prompt appears only once per Explorer, per version.

Top Field Configuration¶

Configure the fields displayed at the top of each log in Stack Mode. Indexes without individual configurations will use the global default configuration.

Global Default Top Fields¶

When an index does not have dedicated top fields configured, the global default fields will be used. Click "Edit" to adjust the globally default displayed fields.

Default included fields: source, host, service, pod_name, container_name, duration.

Index Top Field Configuration¶

Configure dedicated top fields for a specified index, which takes precedence over the global default configuration.

1. Click "+ Add Index Configuration", select an index and configure the top fields (select up to 8);
2. Top fields support selecting existing fields or manually entering field names. Press Enter to add custom fields;
3. After saving, logs under this index will display the top fields as configured in stack mode.

Added index configurations support editing and deletion operations.

Index Key Fields¶

Configure a set of "Key Fields" for different data indexes. After configuration, when viewing the data list corresponding to this index, the system will prioritize displaying these fields in this order to help quickly focus on core information.

• Left side: Index column;
• Right side: Select the optional fields under each index listed by the system as key fields.

For the current key field configuration, you can choose whether to synchronize all key fields to query acceleration.

Query Acceleration Configuration¶

Enabling acceleration for fields that are frequently used for filtering, grouping, or sorting under an index can greatly improve the query response speed for these fields. This configuration is performed at the index level.

• Left side: Index column;
• Right side: Select the optional fields under each index listed by the system for acceleration. You can later view them in the "Accelerated Fields" list above.

After configuration changes, it takes approximately 5 minutes to take effect across the entire system. After taking effect, fields will automatically be added to the "Accelerated Fields" list.

Index¶

By setting up Log Multi-Index, logs meeting the conditions are stored in different indexes, and appropriate data storage strategies are selected for each index, thereby effectively saving log data storage costs.

The index list uses a scrolling load mechanism. The first 50 indexes are displayed by default, and the next 50 are automatically loaded when scrolling to the bottom. This loading method also applies to the fuzzy search result list, facilitating continuous browsing.

You can perform the following operations:

• Select all indexes (❗️May cause slower queries due to large data volume);
• Select multiple indexes;
• Pin indexes;
• Search and locate by index name;
• Set the index display area as small, medium, or large.

After configuration, you can switch between different indexes in the Explorer to view the corresponding log content.

Quick Filter¶

For more details, refer to Filter.

Display Items¶

On the Display Items page, two parts of fields are displayed overall:

• Display Fields: Fields displayed in the quick filter;
• Optional Fields: All fields cached by the current data type.

You can perform the following operations:

• Search for fields; if the query results do not have a precise matching value, you can directly create and add it to the "Filter Fields";
• Edit field aliases;
• Drag to adjust field order;
• Delete (all) fields;
• Reset to default fields;
• Set whether to display field aliases and the time column.

Reset to Default Fields¶

When performing the "Reset to Default Fields" operation, the system displays fields according to the following rules:

• If you have not configured key fields: After resetting, only the time and message fields are displayed (❗️Whether the time column is displayed is also controlled by another independent "Show Time Column" switch);
• If you have configured key fields: After resetting, the display will completely follow your custom field list, and the message field will not be automatically added;
• The message field can be manually removed when displayed.

Status Distribution Chart¶

Based on the selected time range, the system will automatically divide multiple time points and display the quantities of different log statuses in a stacked bar chart format, aiding efficient statistical analysis.

When filtering logs, the bar chart will synchronize and display the filtered results in real-time.

• Hover to export the chart, ultimately exporting to a dashboard, note, or copying to clipboard;
• Customize the time interval.

Query Mode¶

After the workspace enables Log Long-Term Storage, a switch entry for Standard Query and Long-Term Query will appear in the upper right corner. This entry is used to switch queries between data at different storage levels, and the specific usage depends on your data storage strategy configuration.

If the workspace has not enabled log long-term storage, the Explorer does not display this switch entry.

Click to view More Explanation on Log Query Mode.

Usage Instructions¶

1. By default, when entering the Explorer, it is in Standard Query mode, supporting queries of any time range and real-time response.

2. After switching to Long-Term Query, click the time input box to open the time selection panel:

3. Select Date: Choose the start date on the left;

4. Set Start and End Times: Select the start time and end time respectively on the right wheel. If the end time is earlier than the start time, the system automatically recognizes it as the next day, and the input box will display as 2026-05-19 23:00:00 ~ Next Day 05:00:00;

5. You can also directly drag the blue interval on the timeline to move it as a whole, or drag the left and right endpoints to fine-tune the start and end times. Dragging allows crossing midnight of the same day, and the cross-day boundary is marked with "Next Day 00:00".

6. The currently selected query interval and total duration are displayed in real-time below the timeline. After confirmation, click "Query" to trigger the search.

Search Bar¶

In the Log Explorer search bar, multiple search and filter methods are supported.

After entering search or filter conditions, you can preview the effect and copy the condition to apply to charts or query tools.

Manual Configuration¶

Click the switch button on the right side of the search box to enter the manual input query mode.

JSON Field Return¶

DQL queries support extracting nested values from JSON fields in log data. You only need to add a field path with the @ symbol in the DQL query statement. The system will automatically recognize this configuration and display the extracted value as an independent field in the query results. For example:

• Normal Query:

• Expected Query After Extracting Embedded Fields:

In the Log Explorer, if you want to directly specify viewing values extracted from the JSON text of each log's message in the data list, add a field in the format @target_fieldname in the display columns. As shown below, we add the @fail_reason already configured in the DQL query statement to the display columns:

Log Color Highlighting¶

To help quickly locate key information in logs, the system uses color highlighting to display log content. When entering keywords in the search bar, only the matched keywords will be highlighted.

Log Single Line Expand and Copy¶

• Click the button in the log entry to view the complete content of that log. If the log supports JSON format, it will be displayed in JSON format; otherwise, the content will be displayed normally;
• Click the button to copy the entire log content to the clipboard.

Display Lines¶

In the log data list, the trigger time and content of each log are displayed by default. You can use the "Display Lines" option to choose to display "1 line", "3 lines", "10 lines", or "All content" to view complete log information.

Settings¶

Create Monitor¶

When filtering log data, if you need to perform further alert monitoring on the filtered results, you can achieve this by creating a monitor with one click. The system will automatically apply the index, data source, and search conditions you selected, thereby simplifying the configuration process.

Copy as cURL¶

In the Log Explorer, you can obtain log data in command-line form. In the Settings on the right side of the log data list, click the Copy as cURL button to copy the corresponding cURL command. Paste this command into the host terminal and execute it to obtain log data within the current time period that meets the filter and search conditions.

Example

After copying the cURL command line, as shown below: where <Endpoint> needs to be replaced with the domain name, and <DF-API-KEY> needs to be replaced with the Key ID obtained from API Management.

For more related parameter descriptions, refer to DQL Data Query.

For more information about API, refer to Open API.

curl '<Endpoint>/api/v1/df/query_data?search_after=\[1680226330509,8572,"L_1680226330509_cgj4hqbrhi85kl1m6os0"\]&queries_body=%7B%22queries%22:\[%7B%22uuid%22:%222eb41760-cf6e-11ed-a983-7d559044c3fc%22,%22qtype%22:%22dql%22,%22query%22:%7B%22q%22:%22L::re(%60.*%60):(%60*%60)%7B+%60index%60+IN+\[%27default%27\]+%7D%22,%22highlight%22:true,%22limit%22:50,%22orderby%22:\[%7B%22time%22:%22desc%22%7D\],%22_funcList%22:\[\],%22funcList%22:\[\],%22disableMultipleField%22:false,%22disable_slimit%22:false,%22is_optimized%22:true,%22offset%22:0,%22search_after%22:\[1680226330509,8572,%22L_1680226330509_cgj4hqbrhi85kl1m6os0%22\],%22timeRange%22:\[1680187562081,1680230762081\],%22tz%22:%22Asia%2FShanghai%22%7D%7D\]%7D' \
- H 'DF-API-KEY: <DF-API-KEY>' \
- -compressed \
- -insecure

Besides this export path, you can also use other log data export methods.

Set Status Colors¶

The system has preset default colors for status values. If you need to customize the colors displayed for different statuses in the Explorer, click Set Status Colors to modify them.

Formatting Configuration¶

Through formatting configuration, you can hide sensitive log content, highlight important log content, or achieve quick filtering by replacing log content.

1. Click Settings in the upper right corner of the Explorer list;
2. Click Formatting Configuration;
3. Add mapping rules, enter the following content and save:
   • Field: Specify the log field (e.g., content);
   • Matching Method: Select the matching method (currently supports =, !=, match, not match);
   • Matching Content: Enter the content to be matched (e.g., DEBUG);
   • Display As Content: Enter the replaced display content (e.g., **).

Log Data Export¶

In logs, you can first filter the required data and then export it as CSV, JSONL files, or export it to dashboards or notes.

If you need to export a specific log, you can open the detail page of that log and click in the upper right corner.

Advanced Linkage Configuration¶

For more details, refer to Advanced Linkage Configuration.