Search in UI

Use Scope Filters

The scope filters provide the ability to set global context in the Logging Analytics console and maintain it across Log Explorer and dashboard. The global context can be set for Logging Analytics resources such as entities log groups, and log sets.

  1. Click the Filter Filter icon icon in Logging Analytics on the top left corner of Log Explorer or the Dashboard details page to open the Scope Filter dialog box. Select the high level context for the following resources:

  2. Region: Select the regions in your tenancy where the log data that you want to search is available. Based on your selection of the regions, the options for the other filters are adjusted.

    If you select multiple regions, then your saved search which include the context from the scope filter, will have the selection of multiple regions too. The resulting visualization adds an implicit multi-region group by field. If the visualization was already at the maximum supported group by fields, then the region is concatenated to one of the group by fields. For example, Pie chart supports only one group by field.

    Some features such as chart drill downs, export, and side bar filtering are not supported when multiple regions are selected. You can download the results using the Actions menu instead of exporting.

  3. Log Group: By default, the root compartment is selected and the option to include subcompartments is enabled. With this selection, the log groups in the root compartment and the subcompartments in the hierarchy are selected for the search. You can modify this scope to narrow down your search for the log groups under Log Group Compartment. Enable Include Subcompartments to traverse the subcompartments of your selection of compartment to search for the logs.

    Note

    If you select a compartment for log group and cannot find the resource that you are looking for, then verify that you have the user access for that compartment.
  4. Entity: Enter the name of the entity whose logs you want to search.

    The Dependent Entities check box is automatically enabled to include within the scope to search for the logs. This is particularly useful when a composite entity is specified in the Entity field. You can disable the check box, if required.

  5. Log Set: If log partitioning is enabled in your tenancy, then you can select one, multiple or all log sets.

  6. Click Apply to see the modified log query results in the Log Explorer.

  7. Optionally, you can select fields to use as filters in the Scope Filter.

    From the Fields panel in the Log Explorer, click the Actions menu Actions menu icon next to the field, and select Add to scope filters. The field now appears as a filter in the Scope Filter dialog.

After the scope filter is applied, you can view the applicable filters next to the Filter icon in the form of pills. Click on the pill to modify the scope filter. Click (x) on the pill to remove that filter.

Following are some of the properties of the global context of the scope filter:

  • The selection of and changes to the scope filter and the time range get carried over between the Log Explorer and Dashboard.

  • You can save your selection of scope filter and time using the saved search and reuse it at a later point, if needed.

Search Logs by Entities

You can use the Entity field in the Pinned section of Oracle Logging Analytics to filter logs by an entity or multiple entities.

Entities are resources, such as host machines, databases, and Oracle Fusion Middleware components, which can be managed and monitored in Oracle Management Cloud.
To search for logs for the RideShare application entities:
  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  2. In the Fields panel, under Pinned section, click Entity .
  3. In the Entity dialog box, select the required entities, and click Apply.
    Note

    In the Entity dialog box, you can see the occurrence trend for the available entities in the form of sparklines. For the prior example, the sparklines show when the log entries corresponding to the available entities are generated based on the time range selected in the time selector on the top right corner of the dialog box.

Use the Filter Option

You can use the filter option in the visualizations that generate a table of records to filter the log data with the fields available in the log records.

In the visualizations that provide table of records, click the field value to view the filter out options. In the following example, the records with histogram chart has a table of records with the values available for fields like entity, entity type, log source, and host name.

When you click the field value, the following filter options are available:

  • Add to Search: The field that you clicked is added to the search query, and the log data is filtered to include the corresponding field in the search. For example, if you click the entity type value Host (Linux) and specify to add it to search, then the previous search query is updated to include 'Entity Type'='Host (Linux)' in the search string.
  • Exclude from Search: This excludes the field from the search, and generates a refined result of log records that don't contain the specified field value. For example, if you click the log source value Linux Syslog Logs and specify to exclude it from search, then the previous search query is updated to have 'Log Source'!='Linux Syslog Logs' in the search string. The resultant log data will have only those log records which are not collected from the specified log source.

Filter Logs by Pinned Attributes and Fields

You can also filter data by using the sources and the fields in the log messages.

  • The Pinned attributes let you filter log data based on:

    • Sources, such as database logs, Oracle WebLogic Server logs, and so on.

    • Log entities, which are the actual log file names.

    • Labels, which are tags added to log entries when log entries match specific defined conditions. See Use Labels in Sources.

    • Upload names of log data uploaded on demand. See Upload Logs on Demand.

    By default, the entities and collection details are available in the Pinned bucket of the Fields panel for filtering. You can pin additional fields to the Pinned bucket depending on your usage. Once pinned, the fields are moved to the Pinned bucket. You can unpin any field and remove it from the Pinned bucket and move it back to the Computed or Other bucket.

  • Based on your search and queries, Oracle Logging Analytics automatically adds fields to the Computed bucket for your quick reference. You can pin a field that’s available under Computed bucket. The pinned field then gets moved to the Pinned bucket.

  • You can pin any field in the Other bucket and move it to the Pinned bucket. If you use a field from the Other bucket in your search or query, then it’s moved to the Computed bucket.

Filter Logs by Source Attributes

In the Fields panel of Oracle Logging Analytics, you can use the Log Source field to filter logs by the source attributes such as log source and log entities.

For example, to search for logs for a particular log source, such as Database Listener Alert Logs:
  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  2. Under the Pinned fields section, click Log Source.
  3. In the Source dialog box, select Database Listener Alert Logs and click Apply.
    Note

    • In the Source dialog box, you can see the occurrence trend for the available sources in the form of sparklines. The sparklines show when the log entries corresponding to the available log sources are generated based on the time range selected in the time selector on the top right corner of the dialog box.

    • You can select all the listed items by selecting the checkbox in the header pane on the top left.

Filter Logs by Labels

The labels representing the problem conditions such as deadlock situation, memory issue, stuck thread, connection issue, abnormal termination and so on are added to the log sources that conform to any of the problem conditions. So, you can filter the logs by specifying the label for the problem condition that you’re looking for.

In the Fields panel of Oracle Logging Analytics, you can use the Label field to filter log data by data labels.

  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  2. From the Visualize panel, select Records with Histogram.
  3. From the Pinned section, click Label.
  4. In the Label dialog box, select the label that you want to analyze, such as CriticalError, and click Apply.
    Note

    • In the Label dialog box, you can see the occurrence trend for the available labels in the form of sparklines. The sparklines show when the log entries corresponding to the available labels are generated based on the time range selected in the time selector on the top right corner of the dialog box.

    • You can select all the listed items by selecting the checkbox in the header pane on the top left corner of the dialog box.

  5. From the Pinned section of the Fields panel, drag and drop Label to the Display Fields section of the Visualize panel.
Oracle Logging Analytics displays all the log entries pertaining to the selected label.

Filter Logs by Data Uploaded on Demand

In the Fields panel of Oracle Logging Analytics, you can use the Upload Name field to filter log data by data uploaded on demand.

For example, to search for uploaded log data for Microsoft SQL Server errors:
  1. Ensure that you’ve uploaded your on-demand log data as specified in Upload Logs on Demand.
  2. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  3. From the Visualize panel, select Records with Histogram.
  4. From the Pinned section of the Fields panel, click Upload Name.
  5. In the Upload Name dialog box, select the entry that you want to analyze (for example, MicrosoftSQLServer_ErrorLog), and click Apply.
    Note

    • In the Upload Name dialog box, you can see the occurrence trend for the available uploads in the form of sparklines. The sparklines show when the log entries corresponding to the available uploads are generated based on the time range selected in the time selector on the top right corner of the dialog box.

    • You can select all the listed items by selecting the checkbox in the header pane on the top left.

Oracle Logging Analytics displays all the log entries for the on-demand upload name.

Filter Logs by Fields in Log Messages

You can search logs by using fields in the Fields panel.

The Fields panel of Oracle Logging Analytics lists the field attributes based on which you can filter log data.

For example, to filter only those logs where the entity type is Oracle WebLogic Server, and the values of the field attribute Severity are ERROR and NOTIFICATION:
  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  2. In the Fields panel, click Entity Type.
  3. In the Entity Type dialog box, select Oracle WebLogic Server and click Submit.
  4. In the Fields panel, click Severity.
  5. In the Severity dialog box, select ERROR and NOTIFICATION, and click Submit.
    In the selected <field name> dialog box, you can see the occurrence trend for the available field value in the form of sparklines. The sparklines will show when the log entries corresponding to the available field values got generated based on the time range chosen in the time selector on the top right corner of the dialog box.

    You can select all the listed items by selecting the checkbox in the header pane on the top left corner of the dialog box.

    Note

    Fields, such as Message, which has too many large or distinct values are not eligible to be filtered using the Fields panel. See List of Non-Facetable Fields for the fields that can’t be filtered using the Fields panel.

    If you try to filter such fields, Oracle Logging Analytics displays a message that values for the selected field can’t be displayed.

    However, you can add any such field to the Display Fields section.

  6. From the Fields panel, drag the Severity attribute and drop the attribute in the Display Fields section in the Visualize panel.
Rename a Field

You can use the rename command to rename one or more fields.

By renaming system-defined fields, you can control the names of the fields at the time of generating reports. See rename.

For example, to rename the Host IP Address (Client) field to clientip, in the Search field of Oracle Logging Analytics, you need to enter the following command and press Enter:

* | rename 'Host IP Address (Client)' as clientip

Note

Renaming is only a runtime operation, and it doesn’t affect the underlying data storage.

Filter Logs by Field Range

For the fields with numerical values, you can use the bucket option to group the log records into buckets based on the range of values of a field. The resultant popup window displays the counts and sparkline based on the range buckets instead of distinct values.

  1. Click the Actions (actions) icon next to the field.

    The dialog box displays the following options:
    • Filter: To display distinct individual values of the field

    • Bucket: To display the ranges of the field

  2. Select Bucket.

    In the dialog box, you can see the occurrence count for the field in the form of ranges.

    When the selected field is rendered in the visualizations such as the pie chart, bar chart, or treemap, the trend will be based on the value ranges and not the distinct individual values.

Exclude Field Values from Search

After the filter result is generated, you can use the filter option in any of the visualizations with table of records to exclude a field value from search. However, if you want to exclude specific values before the search, then you can select them in the filter dialog box.

To know more about filter option, see Use the Filter Option.

For example, to exclude the search for logs for a particular log source, such as Database Listener Alert Logs:
  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.
  2. Under the Pinned fields section, click Log Source.
  3. In the Source dialog box, select Database Listener Alert Logs, check the box Exclude from Search, and click Apply.

    The query in the query bar is updated with the != or not in relation for the selected source and the result is displayed through the visualization.

    Note

    • When you reopen the Source dialog box, by default, those sources are listed which are selected for display in the visualization, as indicated by the option Selected in the Show menu. This list is obtained from running the query that you can currently view in the query bar. To view all the sources, select Available in the Show menu. Now, all the sources, even those that are excluded from search, are listed. You can now modify your filter preference.

    • When you reopen the Source dialog box, if the Exclude from search check box is enabled, then it is an indication that some of the sources are excluded from search. To exclude multiple values of the source from search, keep the check box Exclude from search enabled, and add more to the exclude list by selecting those values in the Source dialog box.