Search View Reference
This topic provides a detailed reference guide to the Search view, which is where you can view individual logs and aggregate multiple servers and logs, and also search through log content. For a quick introduction, see Search.
Entering Search View
To view a single log from a single server, click "Logs" in the top navigation bar, and then click on the link to the log file.
To start out viewing all logs from all servers, go to the Search menu in the top navigation bar, and choose "Search".
Log Overview Data Timeout
The Log Overview List (the one on the Logs page) reflects only data sources from which Scalyr has received logs in the last 24 hours. That is, Scalyr does not receive any logs from a source for 24 hours, the server and its logs are no longer displayed in the log overview.
This timeout period is set to 24 by default, but it can be reconfigured if you wish. To do this,
- Click the username link in the upper right to drop down the Administration menu.
- Select Configuration, to display the list of editable configuration files.
- Click the /scalyr/logs link to open that file.
- Add the following parameter to this file:
defaultAgeLimitHoursInOverviewPage: NN where NN is your prefered interval, in hours.
- Click the green Update file button to save your changes.
In the Search View, use the Server/Host and Log fields (1) to specify which servers and/or logs you’d like to search. In the Server/Host field, you can enter the name of a server. You can also use * as a wildcard at the beginning or end (but not the middle) of a name. For instance, enter database* to search logs from all servers whose name begins with "database". Similarly, use the Log field to enter the name of a log file. If you have files with the same name on different servers, the Log field will select that log across all servers. To select a single log from a single server, fill in both Server/Host and Log.
When you click in the Server/Host or Log field, you will see a list of all available names. You can use the mouse or arrow keys to select an entry from the list. As you begin typing, the list will narrow down to match what you've typed so far. However, your selection in one field does not affect the choices shown in the other field. For instance, if you type the name of a single server, the Log field will still list log files from all servers.
Use the Search field (2) to search for messages containing particular text (e.g. error), or by field values (e.g. status >= 500). See Query Language Reference for a full description of the Scalyr query language.
The log display shows the log messages that match your search. You can scroll horizontally to view long messages, and vertically to move through your selected time range.
Next to each message, the date and timestamp, server name, and log file name are shown (1). You can hide these fields using the Display Settings menu (described below).
You can click on any message to bring up additional tools (2). Additional tools appear if you select some text in the message.
- Click "Filter For" to restrict your search to messages containing the selected text.
- Click "Exclude" to restrict your search to messages that don't contain the selected text.
- Click "New Search For" to discard your current search and display all log messages containing the selected text.
- Click "View Details" to see more information regarding this log message.
- Click "See In Original Log" to view the raw log file where this message originated.
The View Details button displays additional information for the selected log message:
- Click Edit Parser to manage the parsing rules used for this log file.
- Click See In Original Log to view the raw log file where this message originated.
- Click See In Thread Log to view log messages from the specific server thread that generated this log message. (This works only for messages reported using Scalyr's Java API library.)
- The date and time shows the timestamp that Scalyr assigned to this log message. If the parser was able to identify a timestamp in the message, that value is used. Otherwise, the timestamp is assigned according to the time that the message was received by Scalyr's servers.
- The full text of the log message is shown.
- The Event Fields list lists all fields Scalyr's parser was able to identify in this message, as well as information about the server and log file.
By default, the search view will show the most recent messages in your selected time range - i.e. the messages at the end of the range. There are several ways to navigate through the time range:
- Click on the time range dropdown (1) to specify the time range to search.
- Click in the timeline (2) to jump to the point in time where you clicked.
- Click the Start (3) or End (4) buttons to jump to either end of your time range. These buttons are labeled with the actual start and end times. If you are already at the start or end, the corresponding button is dimmed.
- Click in the Jump To field (5) and enter a time or date+time to jump to that time. The syntax is the same as for the From field in the time range dropdown (above).
- If you've specified a relative time range (e.g. "Last 4 hours"), click the Update button (6) to show the very latest messages. This will refresh your display to reflect the current time. For instance, if you open the log view at 11:23 AM, using the default "Last 4 hours" span, it will show logs from 7:23 AM to 11:23 AM. If you then click the Update button at 11:30 AM, your time range will update to show 7:30 AM to 11:30 AM.
- Scroll up or down in the search view.
Click the Show Graph button (7) to generate a larger graph of the number of matching log messages. This will give you access to the complete set of graphing tools.
Time Range Dropdown
By default, the last four hours are displayed. You can customize this default.
The presets (1a) select your most recent data. For instance, select "4 hours" to view data from the last 4 hours.
To specify a custom time range, use the From (1b) and To (1c) fields. These fields are very flexible; you can enter:
- A time (e.g. 14:30 or 5:05 AM)
- A date (May 23)
- A date and time (5/14/2016 2:00 PM)
- A value like 5h or 2d to indicate "5 hours ago" or "2 days ago".
- ["To" field only] A value like +30m or +2h to indicate "30 minutes after the From time" or "two hours after the From time".
|Search the last hour.||1h or 1 hour|
|Search from 5:23 AM this morning||5:23|
|Search one hour, beginning at 5:23 AM this morning||5:23||+1h|
|Search one hour, beginning at 1:00 PM on April 4th||April 4 1:00PM||+1 hour|
|Search from three days ago to two days ago||3d or 3 days||2d or 2 days|
A wide range of date and time formats are supported. See Time Syntax Reference for a complete list.
Using the Timeline
The timeline shows how many log messages match your search in each time period. The upper-left corner shows the total number of messages matching your search (1). Move the mouse (2) over any bar in the chart to see the exact number of messages in that time period (3).
The scroll indicator (4) indicates which time period you're currently scrolled to. Click anywhere in the chart to jump to that point.
You can also use the timeline to narrow your view to a smaller time range. Simply click and drag to select the time range you'd like to zoom to. To "undo" a zoom, hit the Back button in your browser.
Click "Show Graph" to generate a larger graph of the number of matching log messages. This will give you access to the complete set of graphing tools.
Click the "Live Tail..." button to continuously view new log messages matching your search. The log will update every 10 seconds.
In Live Tail mode, most controls are hidden, so that more of your screen is available for log messages. Click the Stop button to return to the regular search view.
After 10 minutes, Live Tail updates will pause. Click "Restart Live Tail" to resume.
The Field List
This area lists the fields Scalyr's parser has found in the log messages matching your search. By default, it shows the most common fields, limited to the number that will fit in your window: "Top Fields" (1). Click the dropdown and switch to "All Fields" to view all fields; then use the Prev/Next (3) buttons to navigate through the alphabetical list. The number next to each field indicates how many distinct values appear in that field (2). (If there are more than a few hundred distinct values, the number shown will be an estimate.)
Click on any field to view the most common values:
The blue bars (1) provide a visual indication of how often each value appears, and the numbers (2) provide a more precise estimate. You can click on a value (3) to restrict your graph to events having that field value.
If the field has too many values to display on one screen, click the "see more" link (4) to display up to 200 values.
For numeric fields, click the "Graph Values" button (5) to display a graph of that field (see Graphs).
The Save Menu
Click the "Save" button in the left-center of the search bar to display the following Save actions for your current search:
- Save Search: Opens a dialog box that lets you save the active search query to either your personal or team's list of saved searches; your list is selected by default. Saved searches are available in the Search main navigation menu.
- Save as Alert: Creates a new alerting rule, which will trigger if the number of matches to your current search goes above or below a level you specify.
- Save to Dashboard: Adds this search to an existing dashboard, or start a new dashboard with this search.
- Download: Download the current search results as a text file.
- Export to S3: Save search results in an S3 bucket.
The Share Menu
Click the "Share" button in the left-center of the search bar to display the following Share actions for your current search:
- Copy Link: Opens a modal window where you can copy a link to this search with relative time references replaced by absolute. For example, instead of the searching the previous hour, it would search 8 a.m. to 9 a.m.
- Add to Shared Search List: Opens a dialog box that lets you save the search active query to either your personal or team's list of saved searches; the team list is selected by default. Saved searches are available in the Search main navigation menu.
The DISPLAY button at the right of the search bar opens the Display Settings editor, where you can control what information is included in the Matching Events list.
You can choose whether to view search results as log lines, or in a table. If you choose to view them in a table, you will need to select which fields to show.
A set of checkboxes let you control what information is included before each log message in the Matching Events list:
- Date: Select this to include the date Scalyr assigned to this log message. If the parser was able to identify a timestamp in the message, the date is extracted from value. Otherwise, the date is assigned according to the time that the message was received by Scalyr's servers.
- Time: Display the time assigned to this message. Works like the Date field, described above.
- Source: Select this to include the name of the server or other source from which the message originated.
- Log file: Select this to include the name of the log file in which this message originated. If the message did not come from a log (e.g., was imported via the Scalyr API), this field will be blank.
- Raw log: Select this to include the original raw log event.
Use the buttons to move fields from the Parsed Fields list over to the Fields to Show list. The Up and Down buttons let you
You can also select which fields you want displayed in the list of log messages: - The left pane, Parsed Fields, shows all fields the parser identified in this log; click the middle buttons to move fields over to the Fields to Show pane on the right. - To remove a field from the Show pane, select it and click the DELETE button below the pane. - Fields will display from left to right in the same order as they are listed here. To modify the display order, select a field and use the UP and DOWN buttons below the pane. If the Table radio button is selected, this determines the order of the columns.