This section gives a quick introduction to the Search view, which is where you can view individual logs and aggregate multiple servers or logs, and search through logs. This is just a brief overview; for a detailed description of all the powerful features provided by the search view, see Search View Reference.
(1) To search for a specific word or phrase, type it here. Numbers, punctuation, or phrases must be enclosed in quotes. Example searches: error, "503", "customer 1309". See Query Language Reference for a full description of the Scalyr query language.
(2) As you type search text into the box, it is parsed and presented in a form that makes your search easier to read and understand. That can be done in one of two ways. The first and default way is by using colors to highlight different parts, such as fields, operators, and values. For example, in the search text "bytes > 5000", each of the three components will be a different color. The second way of presenting search text is by packaging search terms into "chiclets". You can click a chiclet to edit its term, or click the "X" to remove the term. You can choose which of the two ways you want your search text to be presented in the DISPLAY SETTINGS dialog (shown below).
(3) Click here to specify the time range to search. The following options will appear:
(3a) Click on a preset to quickly search that time range.
(3b) Enter the start time for your search. You can enter a time (e.g. 14:30 or 5:05 AM), a date (May 23), or date and time (5/14/2016 2:00 PM), using a wide variety of date and time formats. You can also enter shortcuts like 5h to indicate five hours ago. See Time Syntax Reference for a complete list of options.
(3c) Enter the end time for your search. You can use any of the formats supported by the From time. You can also enter a shortcut beginning with + to specify the amount of time you'd like to search, e.g. +24h or +1d to search a one-day period beginning at the From time.
(4) Click these buttons to scroll to the beginning or end of your time range.
(5) Use this button to continuously view new log messages matching your search. See Live Tail Reference for details.
(6) Use these fields to search a specific server or log file. You can use a single * as a wildcard anywhere in the name.
(7) The bar chart shows how many log messages match your search in each time period. You can use it to look for spikes in log volume.
(8) Click the Expand link to generate a larger graph of the number of matching log messages. This will give you access to the complete set of graphing tools.
(9) This marker indicates what time period you're scrolled to in the search view. Click anywhere in the bar chart to jump to that point in time.
(10) This area shows the log messages matching your search. You can scroll horizontally to view long messages, and vertically to move through your selected time range. To jump to a specific point in time, click the appropriate spot in the bar chart.
(11) You can also jump to a specific point in time by typing the desired time in this field and pressing Enter.
(12) Select some text to bring up additional options. From here, you can:
- Click "Filter For" to restrict your search to messages containing the selected text.
- Click "Exclude" to restrict your search to messages that don't contain the selected text.
- Click "New Search For" to discard your current search and display all log messages containing the selected text.
- Click "View Details" to see more information regarding this log message.
- Click "See In Original Log" to view the raw log file where this message originated.
(13) Click the "Save" button in the left-center of the search bar to display the following Save actions for your current search:
- Save Search: Opens a dialog box that lets you save the active query to either your personal or team's list of saved searches; your list is selected by default. Saved searches are available in the Search main navigation menu.
- Save as Alert: Create a new alerting rule, which will trigger if the number of matches to your current search goes above or below a level you specify.
- Save to Dashboard: Add this search to an existing dashboard, or start a new dashboard with this search.
(14) Click the "Share" button in the left-center of the search bar to display the following Share actions for your current search:
- Copy Link: Opens a modal window where you can copy a link to this search with relative time references replaced by absolute (e.g., instead of the searching the previous hour, it would search 8 a.m. to 9 a.m.).
- Add to Shared Search List: Opens a dialog box that lets you save the active search query to either your personal or team's list of saved searches; the team list is selected by default. Saved searches are available in the Search main navigation menu.
(15) The DISPLAY button at the right of the search bar opens a modal window where you to control what information is included before each log message in the Matching Events list:
- Timestamp: Select this to include the timestamp that Scalyr assigned to this log message. If the parser was able to identify a timestamp in the message, that value is used. Otherwise, the timestamp is assigned according to the time that the message was received by Scalyr's servers.
- Source: Select this to include the name of the server or other source from which the message originated.
- Log file: Select this to include the name of the log file in which this message originated. If the message did not come from a log (e.g. it was imported via the Scalyr API), this field will be blank.
- Raw log: Select this to include the original raw log event.
You can also select which fields you want displayed in the list of log messages: - The left pane, Parsed Fields, shows all fields the parser identified in this log; click the middle buttons to move fields over to the Fields to Show pane on the right. - To remove a field from the Show pane, select it and click the DELETE button below the pane. - Fields will display in the same order as they are listed here. To modify the display order, select a field and use the UP and DOWN buttons below the pane.
If you make changes and click 'OK' those settings will remain in effect as long as you stay on the search page. Once you leave the search page, those changes will be lost. If you find that every time you go to the search page that you always choose the same few fields to be displayed, or never want to see the server/host for example, you can make the changes you want then click Save As Default. This will save those settings permanently until you modify them in the future.
(16) This area lists the fields Scalyr's parser has found in the log messages matching your search. By default, it shows the most common fields, limited to the number that will fit in your window ("Top Fields"). Click the dropdown and switch to "All Fields" to view all fields; then use the Prev/Next buttons to navigate through the alphabetical list. The number next to each field indicates how many distinct values appear in that field. (If there are more than a few hundred distinct values, the number shown will be an estimate.)
Click on any field to view the most common values in that field:
You can click on any value to restrict your search to log messages having that field value. For numeric fields, click the "Graph Values" button to display a graph of that field (see Graphs). Or click the "Distribution" button to display the distribution of values in that field (see Distributions).