View Logs

Scalyr provides flexible and powerful tools for exploring log data. The focus is on general-purpose tools that let you view any of your data, in any way you'd like to analyze it. There are five ways to view your data:

  • Log View is the traditional, textual view of a log. Great for diving in and looking at specific examples of what your servers are doing.
  • Graph View lets you plot event rates, metric values, or even complex calculations to see trends over time.
  • Facet View summarizes each field in your logs, showing which values are most common. This gives you a high-level overview of an entire data set.
  • Histogram View shows the distribution of numeric values on a field, such as processing time or response size. This can be a great way to spot outliers that don't show up in an average, such as unusually slow database queries.
  • Reports allow you to pull together large amounts of data in a clickable chart for quick review and exploration.

The Solutions Directory provides specific, task-focused examples of how to use the Scalyr data views. This page provides a complete reference.

Data Selection

The first step is identifying the data you want to explore. You may want to look at:

  • Events from all servers; a group of servers such as "production frontends", or a particular server.
  • Events from a particular type of log, or a specific log file.
  • Events containing a specific search term or field value.

By default, when you click the Search button in the navigation bar, Scalyr will show all events from all of your servers. This is useful only as a starting point. You can narrow your starting point by starting with the Overview button and selecting a specific log file. Or use tools like Refine Search to drill down by server, log type, and any other field. (For a review of event fields, refer back to the Getting Started page.)

Your current data selection is indicated by the Expression box:

In this example, we started out looking at the access_log file from the server "frontend-1", and we drilled down to examine requests for the /login page. To learn the full power of the Scalyr query language, refer to the Query Language page. Often you can get to the data you need simply by clicking through the data exploration views, and that's what we'll focus on in this guide. Remember that you can always delete search terms from the Expression box to pull back to a wider view of your data.

Time Range

In most views, you can choose to view data from any period of time. Use a large time range to view long-term trends, or narrow down to focus on current patterns or investigate a specific incident.

The time range is specified by the Start and End boxes:

You can specify dates and times in almost any format, including shortcuts such as "4 hours" to indicate four hours ago. You can leave the End box blank to include events up to the present time. You can also enter an End value beginning with a "+" to indicate a time span, e.g. "+1 day" is 1 day after the Start time. The following examples illustrate the full array of date options:

Start End Meaning
4 hours The last four hours
6 days 5 days From six days (144 hours) to five days (120 hours) ago
10:30 AM 2 PM 10:30 AM to 2:00 PM today
10:30 14:00 24-hour format is also supported
10:30:14.106 AM 10:30:18.904 AM As are seconds and fractional seconds
Monday Thu From midnight Monday until midnight Thursday. You can abbreviate day names.
March 3 4 Mar 2014 From midnight March 3 until midnight March 4. Month and date can be in either order, and year is optional.
Oct 11 11:45:00 AM Friday 6 AM Any date format can be combined with any time format.
Jan. 10 11:00 AM +4 hours From 11:00 AM to 3:00 PM on January 10th.
1346261004000 ms +30s A 30-second period, beginning the specified number of milliseconds after January 1, 1970.
1346261004000000000 ns +30s Similarly, but using nanoseconds.
1346261004000 +30s The "ms" or "ns" tag is optional.

For relative times, you can use any of the following units and abbreviations:

  seconds, second, secs, sec, s
  minutes, minute, mins, min, m
  hours, hour, hrs, hr, h
  days, day, d

Log View

Log View is the traditional, textual view of a log. It can be reached by clicking the Search button in the navigation bar, or by starting with the Overview button and clicking on a log file.

The log view displays as many events as will fit in your window. To see more data, use the blue buttons at the bottom of the page. You can jump to the start or end of the selected time range, skip back and forth 15 minutes at a time, or step one page at a time.

Click on any event to bring up a detailed view:

Here, each field of the event is shown. Fields with scope "E" come from the event itself; fields with scope "S" come from the server which reported the event. (For a review of event fields, refer back to the Getting Started page.) You can click the dropdown icon next to any field name to restrict your search using that field. The Common values link displays a breakdown of the most common values which appear in this field, across all events in your current data set. The Graph and Histogram links (only shown for numeric fields) display the values in this field in the corresponding format.

On the left side, additional information regarding this event is shown. You can see the event's exact date and time, and the server and log file where it originated. For long log messages, click the Entire Message link to display the full text. The Original log link removes your current filter and shows this event in its original context (the complete log file from which it originated). The Thread log link applies only to Java applications sending events via our Java API; it shows all events from the same thread as this event.

Note that you can click ony word in a log to restrict your search to events containing that word. Click and drag to select a phrase.

To select log text for copying, hold down the Shift or Alt (Windows) / Option (Mac) key while clicking. This disables the normal log click behavior and allows you to select a range of text.

Above the log messages is a graph showing the number of events per second which match your search. Click and drag in this graph to select a time range. The average number of events per second in that time range will be displayed, and you can click inside the highlighted range to narrow your view to that time period:

The Refine Search button displays a summary of all fields in the events matching your search. Select any value to restrict your search to events with that value. This is a quick and easy way to narrow down on events of interest without typing search expressions by hand. Note that if all matching events have the same value for a field, that field will not be listed under the Refine Search button.

Use the Severity dropdown to restrict your search to critical events. This applies only if your log files contain a severity (or "logging level") indicator. All events with a severity above or equal to the selected value, will be shown.

By default, the log view shows a timestamp for each event, followed by the raw text of that event. Often the timestamp is redundant with the raw text. To hide the timestamp, uncheck the Add server timestamps checkbox.

Graph View

Graph View lets you plot event rates, metric values, or even complex calculations to see trends over time. It can be reached by clicking the Search button in the navigation bar, and then selecting the Graph tab. Often, it is more convenient to generate a graph by starting in the Log view, clicking on an event to display the event's details, opening the dropdown menu next to a numeric field, and selecting the Graph link.

You can graph three types of data:

  • Event rates — the number of events per second which match a search. For instance, the number of errors per second logged by a group of servers.
  • Field values — a numeric field parsed from your log events. For instance, the amount of time your server spent serving a request.
  • Calculated values — a calculation based on event rates and field values. For instance, the ratio of CPU usage to server requests.

Some parts of the graph view are the same as the log view:

You can use the same Expression, Start, and End boxes to select the events to work with. The Range boxes determine the vertical scale of the graph. The Variable box specifies which event field to graph; leave it blank to display an event rate graph. Note that if you specify a field, two graphs will be displayed: a graph of the specified value, followed by an event rate graph.

By default, the graph will show the average (mean) value of the graphed field. Many other functions are supported, such as min, max, or percentiles. You can also compute ratios or other complex values. See the Graph Functions reference.

The Refine Search box is also similar to the log view. It lists all fields in the events matching your search, excluding fields for which all matching events have the same value. Click on any field to see the most common values for that field, and to restrict your search to events with a particular value.

If you are graphing a field value, then above the graph will be a small table summarizing the values for that field. This table shows the number of events matching your search; the minimum, maximum, and average (mean) value of the graphed field; and various percentile values. Click on the Min (minimum) or 10th (10th percentile) value to restrict to events where the field is less than or equal to that value. Click on any other value to restrict to events where the field is greater than or equal to that value. For instance, by clicking on the "99th %ile" value, you can see a graph of events where the field is in the 99th percentile of all matching events. This provides a quick way to narrow down to outlying events. You might then want to switch to the Log or Facets view to see more information about these events. For instance, if you were looking at a graph of server response times, you may find that most of your slow requests are for a particular page or are being handled by a particular server.

Just above the graph are a set of arrow buttons. These let you step forward and back in time by a full graph or half the graph, or jump to the present time.

Numeric Values

To see precise numbers in any graph, simply move the mouse into the graph. Underneath, you'll see the exact value at the point under the mouse. Slide the mouse back and forth to view different tsime.

To examine values across a range of time, click and drag inside the graph to select the time range. Underneath, you'll see the mean (average) value across that time range. You'll also see a dropdown menu, which you can use to view other statistics:

  • Delta — The net change across the time range. For instance, if the value is 100 at the beginning of the time range and 120 at the end, the delta is 20.
  • Delta per hour — The delta, divided by the number of hours in the time range. For instance, you can use this on a graph of free disk space to show how quickly your disk is filling up.
  • Delta per sec — The delta, divided by the number of seconds in the time range.
  • Max — The largest graphed value in the time range.
  • Mean — The mean (average) graphed value in the time range.
  • Min — The smallest graphed value in the time range.
  • Sum of Rate — For graphs which show a rate, this shows the total across the time range. For instance, in a graph of network bandwidth, it shows the total number of bytes transferred.

Note: these statistics are computed using the values in the graph, not the raw underlying data. For example, "Max" shows the largest number in the selected portion of the graph, not the largest individual value in the log from which the graph was generated.

To dismiss a time range, click anywhere in the graph outside of the selected time range. Or click inside the selected time range to narrow the graph to that time range.

The Save Search menu allows you to save the current view for later use, add it to a dashboard, or set an alert based on a graphed value. See the Saved Searches, Alert, and Dashboard reference pages for details.

Time Overlay

To get a sense of how values change over time, you can display two overlapping time periods. For instance, you can compare recent values with day-ago or week-ago data.

To display time overlays, add a semicolon and a time offset to the Start field. For instance, where "4h" displays a single plot beginning four hours ago. "4h; 1 week" adds a second plot beginning 1 week earlier. All relative time units and abbreviations supported in the Start and End boxes can be used — see the Time Range section.

Facets View

Facets View summarizes each field in your logs, showing which values are most common. This gives you a high-level overview of an entire data set. It can be reached by clicking the Search button in the navigation bar, and then selecting the Facets tab. You can also switch to the Facets tab at any time while viewing a log, graph, or histogram, to see an overview of the events matching your current search.

Some parts of the facets view are the same as the log view. You can use the same Expression, Start, and End boxes to select the events to work with. The Severity dropdown restricts your search to critical events, just as in log view.

The facets view lists each field that appears in at least one event matching your search. For each field, the 10 most common values are shown. Click on a value to restrict your search to events having that value. Numeric fields will also have graph and histogram links; click these links to display a graph or histogram of that field.

If a field has more than 10 distinct values in the events matching your search, a see more values link will be displayed. Click that link to see the 100 most common values for that field.

If many events match your search, the Facets view will use a random subsample. This can cause rare values to be missed. For instance, suppose you are analyzing a set of 10,000,000 web requests, and 137 of those requests (0.00137%) are for a particular page. That page might not appear in the facets view. The "see more values" page uses samples of at least several hundred thousand events, and so is much less likely to miss rare values.

Histogram View

Histogram View shows the distribution of numeric values in a field. It can be reached by clicking the Search button in the navigation bar, and then selecting the Histogram tab. Often, it is more convenient to generate a histogram by starting in the Log view, clicking on an event to display the event's details, opening the dropdown menu next to a numeric field, and selecting the Histogram link.

Some parts of the histogram view are the same as the log view:

You can use the same Expression, Start, and End boxes to select the events to work with. The Variable box specifies which event field to display.

Above the histogram is a small table summarizing the values for that field. This table also appears in the graph view, and is described in the Graph View documentation.

A histogram is a way of summarizing numeric values. It is a graph where the horizontal axis displays different values, and the vertical axis indicates how many events have that value. For instance, if you display the "bytes" (response size) field of a web access log, the histogram will show how many pages of each size were generated.

You can drill down to analyze events having a particular value in the displayed field. Simply click on any bar in the histogram. This narrows your search expression to events having values in the range corresponding to that bar, and switches to the Facets view.

Reports

Reports allow you to pull together large amounts of data in a clickable chart for quick review and exploration. To generate a report, you must incorporate it into a dashboard. See the Dashboards Reference for details.