This topic provides a detailed guide to the Search view, which is where you can view individual logs and aggregate multiple servers and logs, and also search through log content.
(1) To search for a specific word or phrase, type it here. Numbers, punctuation, or phrases must be enclosed in quotes. Example searches: error, "503", "customer 1309". See Query Language for a full description of the Scalyr query language.
(2) As you type search text into the box, it is parsed and presented in a form that makes your search easier to read and understand. Different parts of your search text such as fields, operators, and values are highlighted in order to visually differentiate them. For example, in the search text "bytes > 5000", each of the three components will be a different color.
(3) Click here to specify the time range to search. The following options will appear:
By default, the last four hours are displayed. You can customize this default.
(3a) Click on a preset to quickly search that time range.
(3b) Enter the start time for your search. You can enter a time (e.g. 14:30 or 5:05 AM), a date (May 23), or date and time (5/14/2016 2:00 PM), using a wide variety of date and time formats. You can also enter shortcuts like 5h to indicate five hours ago. See the Date/Time Reference for a complete list of options.
(3c) Enter the end time for your search. You can use any of the formats explained in (3b). You can also enter a shortcut beginning with + to specify the amount of time you'd like to search, e.g. +24h or +1d to search a one-day period beginning at the From time.
(4) Click these buttons to scroll to the beginning or end of your time range.
(5) Use this button to continuously view new log messages matching your search. The log will update every 10 seconds.
In Live Tail mode, most controls are hidden, so that more of your screen is available for log messages. Click the Stop button to return to the regular search view.
After 10 minutes, Live Tail updates will pause. Click Restart Live Tail to resume.
(6) Use these fields to search a specific server or log file. If you're using Kubernetes these will allow you to search cluster and controller name, respectively. You can use a single * as a wildcard at the beginning or end (but not the middle) of the server or log file name.
(7) This area lists the fields Scalyr's parser has found in the log messages matching your search. By default, it shows the top 100 fields, arranged alphabetically in a scrollable window (All Fields). Click the dropdown and switch to Top Fields to view the most common fields first.
The number next to each field indicates how many distinct values appear in that field. (If there are more than a few hundred distinct values, the number shown will be an estimate.)
Click on a field to bring up a list of its most common values:
(7a) Depending on the type of data, various graphing options appear as buttons:
- Graph Values graphs the selected field over time.
- #Matches graphs matching events per second, broken down by the selected field.
- Distribution graphs a distribution of the selected field.
For more information on Scalyr's graphingt tools, see Graphs.
(7b) You can click on a value to restrict your graph to events having that field value. You can also use the `==` and `!=` symbols to include (or exclude) these values from your search.
(7c) The bars provide a visual indication of how often each value appears, while the numbers provide more precision. Note that these are often estimates due to sampling (see (7d) below).
(7d) Information concerning estimated values is located here. (We sample to achieve a statistically valid number, using a two-pass method. In the first pass (first bullet point), we query a 1% subsample to estimate the total number of matches. In the second pass (second bullet point), we sample the data with a rate based on information obtained in the first pass.)
(7e) If the field has too many values to display on one screen, click See More to show up to a maximum of 200 values.
(8) This chart shows how many log messages match your search in each time period. You can use it to look for spikes in log volume. The bars show volume per time period. The dotted line shows a smoothed distribution of actual log volume over that time period.
(9) Click Expand Graph to generate a larger graph of the number of matching log messages. This will give you access to the complete set of graphing tools.
(10) This marker indicates what time period you're scrolled to in the search view. Click anywhere in the bar chart to jump to that point in time.
(11) This area shows the log messages matching your search. You can scroll horizontally to view long messages, and vertically to move through your selected time range. To jump to a specific point in time, click the appropriate spot in the bar chart.
(12) You can also jump to a specific point in time by typing the desired time in this field and pressing Enter.
(13) Select some text to bring up additional options. From here, you can:
- Click Filter For to restrict your search to messages containing the selected text.
- Click Exclude to restrict your search to messages that don't contain the selected text.
- Click New Search For to discard your current search and display all log messages containing the selected text.
- Click Inspect Fields to see more information regarding this log message.
- Click Switch To to view messages from the specific server thread that generated this log message. (This works only for messages reported using Scalyr's Java API library.).
Scalyr supports linking from recognized portions of log lines in the search results. For example, you may want to have the value of a field called userId link to that user's page in your company directory. See SmartLinks to enable this feature.
(14) The Inspect Fields button displays additional information for the selected log message:
(14a) Click Edit Parser to manage the parsing rules used for this log file.
(14b) Click See In Original Log to view the raw log file where this message originated.
(14c) Click See In Thread Log to view log messages from the specific server thread that generated this log message. (This works only for messages reported using Scalyr's Java API library.)
(14d) The full text of the log message is shown.
(14e) If the parser was able to identify a timestamp in the message, that value is used. Otherwise, the timestamp is assigned according to the time that the message was received by Scalyr's servers.
(14f) All fields Scalyr's parser was able to identify are listed in the Inspect Fields list. Server-specific fields are grouped and listed below the others.
(15) The Display button at the right of the search bar opens a dialog that allows you to tailor how your search results are displayed:
You can choose whether to view search results as log lines, or in a table. If you choose to view them in a table, you will need to select which fields to show.
A set of checkboxes let you control what information is included before each log message in the Matching Events list:
- Date: The date Scalyr assigned to the log message. If the parser was able to identify a timestamp in the message, the date is extracted from value. Otherwise, the date is assigned according to the time that the message was received by Scalyr's servers.
- Time: The time assigned to the message. Works like the Date field, described above.
- Source/Cluster: The name of the server, k8s cluster, or other source from which the message originated.
- Logfile/Deployment: The name of the log file or k8s deployment from which the message originated.
- Raw log: The original raw log event.
Use the Add and All buttons to move fields from the Available Fields list over to the Fields to Show list. The Up, Down and Remove buttons let you navigate and remove fields in the Fields to Show list.
If you make changes and click OK, those settings will remain in effect for the life of the current account session. Once you log out or change teams, the changes will be lost. Use the Save As Default button if you find yourself frequently applying the same changes across teams and you want the settings to persist. Those user default settings could then be temporarily overridden by a later change to the dialog or url parameters.
(16) Click the Save button in the left-center of the search bar to display the following Save actions for your current search:
- Save Search: Opens a dialog box that lets you save the active query to either your personal or team's list of saved searches; your list is selected by default. Saved searches are available in the Search main navigation menu.
- Save as Alert: Create a new alerting rule, which will trigger if the number of matches to your current search goes above or below a level you specify.
- Save to Dashboard: Add this search to an existing dashboard, or start a new dashboard with this search.
- Download: Download the current search results as a text file.
- Export to S3: Save search results to an S3 bucket.
(17) Click the Share button in the left-center of the search bar to display the following Share actions for your current search:
- Copy Link: Copies a link for this search to your clipboard with relative time references replaced by absolute (e.g., instead of the searching the previous hour, it would search 8 a.m. to 9 a.m.).
- Add to Shared Search List: Opens a dialog box that lets you save the active search query to either your personal or team's list of saved searches; the team list is selected by default. Saved searches are available in the Search main navigation menu.