Use the distribution view to summarize the values in a numeric log field, such as server response times or page sizes. Distribution view shows the range of values and which values are most common. You can view values from an individual log, aggregate multiple servers / logs, and use search terms to narrow the log messages shown.
To display the distribution of values in a field, find that field in the left sidebar of the Search view. Click on the field name, and click the "Distribution" button at the top of the pop-up panel.
The "Distribution" button will appear only for fields with numeric values.
(1) To search for a specific word or phrase, type it here. This determines which log messages are reflected in the distribution. Numbers, punctuation, or phrases must be enclosed in quotes. Sample searches:
|error||To search for a word or part of a word, just type it|
|"/blog"||Punctuation must be enclosed in quotes|
|"customer 1309"||Multi-word phrases must also be enclosed in quotes|
|userId = 1309||Matching on a parsed field|
|time > 0.5||Numeric comparison on a parsed field|
See Query Language Reference for a full description of the Scalyr query language.
(2) As you type search text into the box, it is parsed and presented in a form that makes your search easier to read and understand.
(3) Click here to specify the time range to view. The following options will appear:
(3a) Click on a preset to quickly view that time range.
(3b) Enter the start time for your view. You can enter a time (e.g. 14:30 or 5:05 AM), a date (May 23), or date and time (5/14/2016 2:00 PM), using a wide variety of date and time formats. You can also enter shortcuts like "5h" to indicate five hours ago. See Time Syntax Reference for a complete list of options.
(3c) Enter the end time for your view. You can use any of the formats explained in (3b). You can also enter a shortcut beginning with + to specify the amount of time you'd like to search, e.g. +24h or +1d to view a one-day period beginning at the From time.
(4) Use this button to view the raw log messages matching your search.
(5) Use these fields to search a specific server or log file. If you're using Kubernetes these will allow you to search cluster and controller name, respectively. You can use a single * as a wildcard at the beginning or end (but not the middle) of the server or log file name.
(6) This area lists the fields the parser found in the log messages matching your search. The top 100 fields are arranged alphabetically in a scrollable window (All Fields). Click the dropdown and switch to Top Fields to view the most common fields first.
The number next to each field indicates how many distinct values appear in that field. (If there are more than a few hundred distinct values, the number shown will be an estimate.)
Click on any field to view the most common values in that field:
You can click on any value to restrict your graph to log messages having that field value. Depending on the type of data, various graphing options appear as buttons:
- Graph Values graphs the selected field over time.
- #Matches graphs matching events per second, broken down by the selected field.
- Distribution graphs a Value distribution of the selected field.
(7) This shows the name of the field you're viewing.
(8) This area shows the distribution of values in the specified field.
(9) This area displays summary statistics for the values in the distribution.
(10) Click the "Save" button to display the following actions for your current search:
- Save Graph: Opens a dialog box that lets you save the graph to either your personal or team's list of saved graphs, which are also available in the main Search menu at the top of the page.
- Save as Alert: Create a new alerting rule, which will trigger if the number of matches to your current search goes above or below a level you specify.
(11) Click the "Share" button in the left-center of the search bar to display the following Share actions for your current search:
- Copy Link: Opens a modal window where you can copy a link to this search with relative time references replaced by absolute (e.g., instead of the searching the previous hour, it would search 8 a.m. to 9 a.m.).
- Add to Shared Search List: Opens a dialog box that lets you save the active search query to either your personal or team's list of saved searches; the team list is selected by default. Saved searches are available in the Search menu.
Use the Search field (1) to view messages containing particular text (e.g. error), or by field values (e.g. status >= 500). See the Query Language Reference for a full description of the Scalyr query language.
Use the Server/Host and Log fields (2) to specify which servers and/or logs you’d like to view. If you're using Kubernetes these will allow you to search cluster and controller name, respectively.
When you click in the Server/Host or Log field, you will see a list of all available names. You can use the mouse or arrow keys to select an entry from the list. As you begin typing, the list will narrow down to match what you've typed so far. However, your selection in one field does not affect the choices shown in the other field. For instance, if you type the name of a single server, the Log field will still list log files from all servers.
You can use a single * as a wildcard at the beginning or end (but not the middle) of the server or log file name. For example, enter database* to view logs from all servers whose name begins with "database". Similarly, use the Log field to enter the name of a log file. If you have files with the same name on different servers, the Log field will select that log across all servers. To select a single log from a single server, fill in both Server/Host and Log.
Below these boxes is a list of the top 100 fields found in events matching your search (3). Click on a field to bring up a list of its most common values; from there click on the `==` and `!=` symbols to include (or exclude) these values from your search.