Log View Reference
This topic provides a detailed reference guide to the Log view, which is where you can view individual logs and aggregate multiple servers and logs, and also search through log content. For a quick introduction, see Log View.
Entering Log View
To view a single log from a single server, click "Logs" in the top navigation bar, and then click on the link to the log file.
To start out viewing all logs from all servers, go to the Search menu in the top navigation bar, and choose "Search".
Use the Server/Host and Log fields (1) to specify which servers and/or logs you’d like to search. In the Server/Host field, you can enter the name of a server. You can also use * as a wildcard at the beginning or end (but not the middle) of a name. For instance, enter database* to search logs from all servers whose name begins with "database". Similarly, use the Log field to enter the name of a log file. If you have files with the same name on different servers, the Log field will select that log across all servers. To select a single log from a single server, fill in both Server/Host and Log.
When you click in the Server/Host or Log field, you will see a list of all available names. You can use the mouse or arrow keys to select an entry from the list. As you begin typing, the list will narrow down to match what you've typed so far. However, your selection in one field does not affect the choices shown in the other field. For instance, if you type the name of a single server, the Log field will still list log files from all servers.
Use the Search field (2) to search for messages containing particular text (e.g. error), or by field values (e.g. status >= 500). See Query Language Reference for a full description of the Scalyr query language.
When you enter a term in the Search field, it's packaged into a "chiclet" (3). You can edit the chiclet by clicking on it, or using the Delete key to move your edit caret back into the chiclet. You can click the "X" icon to delete the entire term.
The log display shows the log messages that match your search. You can scroll horizontally to view long messages, and vertically to move through your selected time range.
Next to each message, the timestamp, server name, and log file name are shown (1). You can hide these fields using the Log View Settings menu (described below).
You can click on any message to bring up additional tools (2). Additional tools appear if you select some text in the message.
- Click "Filter For" to restrict your search to messages containing the selected text.
- Click "Exclude" to restrict your search to messages that don't contain the selected text.
- Click "New Search For" to discard your current search and display all log messages containing the selected text.
- Click "View Details" to see more information regarding this log message.
- Click "See In Original Log" to view the raw log file where this message originated.
The View Details button displays additional information for the selected log message:
- Click Edit Parser to manage the parsing rules used for this log file.
- Click See In Original Log to view the raw log file where this message originated.
- Click See In Thread Log to view log messages from the specific server thread that generated this log message. (This works only for messages reported using Scalyr's Java API library.)
- The date and time shows the timestamp that Scalyr assigned to this log message. If the parser was able to identify a timestamp in the message, that value is used. Otherwise, the timestamp is assigned according to the time that the message was received by Scalyr's servers.
- The full text of the log message is shown.
- The Event Fields list lists all fields Scalyr's parser was able to identify in this message, as well as information about the server and log file.
By default, the log view will show the most recent messages in your selected time range - i.e. the messages at the end of the range. There are several ways to navigate through the time range:
- Click on the time range dropdown (1) to specify the time range to search.
- Click in the timeline (2) to jump to the point in time where you clicked.
- Click the Start (3) or End (4) buttons to jump to either end of your time range. These buttons are labeled with the actual start and end times. If you are already at the start or end, the corresponding button is dimmed.
- Click in the Jump To field (5) and enter a time or date+time to jump to that time. The syntax is the same as for the From field in the time range dropdown (above).
- If you've specified a relative time range (e.g. "Last 4 hours"), click the Update button (6) to show the very latest messages. This will refresh your display to reflect the current time. For instance, if you open the log view at 11:23 AM, using the default "Last 4 hours" span, it will show logs from 7:23 AM to 11:23 AM. If you then click the Update button at 11:30 AM, your time range will update to show 7:30 AM to 11:30 AM.
- Scroll up or down in the log view.
Click the Show Graph button (7) to generate a larger graph of the number of matching log messages. This will give you access to the complete set of graphing tools.
Time Range Dropdown
By default, the last four hours are displayed. You can customize this default.
The presets (1a) select your most recent data. For instance, select "4 hours" to view data from the last 4 hours.
To specify a custom time range, use the From (1b) and To (1c) fields. These fields are very flexible; you can enter:
- A time (e.g. 14:30 or 5:05 AM)
- A date (May 23)
- A date and time (5/14/2016 2:00 PM)
- A value like 5h or 2d to indicate "5 hours ago" or "2 days ago".
- ["To" field only] A value like +30m or +2h to indicate "30 minutes after the From time" or "two hours after the From time".
|Search the last hour.||1h or 1 hour|
|Search from 5:23 AM this morning||5:23|
|Search one hour, beginning at 5:23 AM this morning||5:23||+1h|
|Search one hour, beginning at 1:00 PM on April 4th||April 4 1:00PM||+1 hour|
|Search from three days ago to two days ago||3d or 3 days||2d or 2 days|
A wide range of date and time formats are supported. See Time Syntax Reference for a complete list.
The timeline shows how many log messages match your search in each time period. The upper-left corner shows the total number of messages matching your search (1). Move the mouse (2) over any bar in the chart to see the exact number of messages in that time period (3).
The scroll indicator (4) indicates which time period you're currently scrolled to. Click anywhere in the chart to jump to that point.
You can also use the timeline to narrow your view to a smaller time range. Simply click and drag to select the time range you'd like to zoom to. To "undo" a zoom, hit the Back button in your browser.
Click "Show Graph" to generate a larger graph of the number of matching log messages. This will give you access to the complete set of graphing tools.
Click the "Live Tail..." button to continuously view new log messages matching your search. The log will update every 10 seconds.
In Live Tail mode, most controls are hidden, so that more of your screen is available for log messages. Click the Stop button to return to the regular log view.
After 10 minutes, Live Tail updates will pause. Click "Restart Live Tail" to resume.
This area lists the fields Scalyr's parser has found in the log messages matching your search. By default, it shows the most common fields, limited to the number that will fit in your window: "Top Fields" (1). Click the dropdown and switch to "All Fields" to view all fields; then use the Prev/Next (3) buttons to navigate through the alphabetical list. The number next to each field indicates how many distinct values appear in that field (2). (If there are more than a few hundred distinct values, the number shown will be an estimate.)
Click on any field to view the most common values:
The blue bars (1) provide a visual indication of how often each value appears, and the numbers (2) provide a more precise estimate. You can click on a value (3) to restrict your graph to events having that field value.
If the field has too many values to display on one screen, click the "see more" link (4) to display up to 200 values.
For numeric fields, click the "Graph Values" button (5) to display a graph of that field (see Graphs).
Click the "Action" button on the left hand side of the search bar to display actions you can perform on your current search:
- Save search - Displays a dialog box that will save the search to either your personal or team's list of saved searches. These are available in the Search menu at the top of the page.
- Edit search text - Edit the search field directly.
- Start over - Erase your current search (the Search, Server/Host, and Log fields), allowing you to start a fresh search over all of your logs.
- Get permalink - Get a link to this search with relative time references replaces with absolute (instead of the searching the previous hour to now, search 8 am to 9 am).
- Add to dashboard - Add this search to an existing dashboard, or start a new dashboard with this search.
- Add as Alert - Create a new alerting rule, which will trigger if the number of matches to your current search goes above or below a level you specify.
Log View Settings
This menu allows you to control which information is displayed before each log message in the main log area:
- Timestamp - the timestamp that Scalyr assigned to this log message. If the parser was able to identify a timestamp in the message, that value is used. Otherwise, the timestamp is assigned according to the time that the message was received by Scalyr's servers.
- Source - the name of the server or other source from which the message originated.
- Log file - the name of the log file in which this message originated. If the message did not come from a log (e.g. it was imported via the Scalyr API), this field will be blank.
- Raw log - The original raw log event.
You can also select which fields you want displayed in the list of log messages. See Log View for more details.