Inspecting the Logs: Tips & Tricks
The Log Analyzer uses OpenSearch as data storage and OpenSearch Dashboards to analyze the service logs. OpenSearch Dashboards is an open source analytics and visualization tool. You can search, view, and interact with data stored in OpenSearch indices. You can perform advanced data analysis and visualize your data in a variety of charts, tables, and maps in customized dashboards.
On this page, we have compiled some helpful tips & tricks that may help you when working with the Scheer PAS Log Analyzer.
Search Languages: DQL vs. Lucene
By default, Dashboards Query Language (DQL), text-based query language is used in the search box:
Reserved Characters in DQL
The following characters are reserved in DQL:
\ ( ) : < > “ *
To escape reserved characters, use a backslash: \
DQL searches the field(s) set as the default field(s) on the index. If no default field is set, DQL searches all fields.
Refer to Working With the Log Analyzer for details on how to change the default fields.
There is a second language available. If you click DQL and disable option OpenSearch Dashboards Query Language, you can switch to Lucene:
Reserved Characters in Lucene
In Lucene, hyphens are reserved characters.
If your search term contains hyphens, DQL prompts you to switch to Lucene syntax. To avoid this, surround your search term with quotation marks in a phrase search or omit the hyphen in a regular search.
The following table illustrates the differences between DQL and Lucene:
DQL and Lucene | DQL | Lucene |
|---|---|---|
|
|
|
Tips for Search Queries
Searching for Terms
To search for a phrase (an ordered sequence of words), surround your text with quotation marks:
"dev stack timeout reached"If you only want to find log entries if all search terms match, place an AND between the terms:
Ticketcreation AND calling AND onUnhandledErrorSearching in Fields
You can search for text in a particular field. Specify the field name before the colon to do so:
log.severity: Error
// Also possible:
log.severity:ErrorDQL ignores white space characters. Use wildcards (DQL only supports *) to refer to field names containing spaces.
The field prefix refers only to the term that follows the colon:
message: Ticketcreation OR OrderApproval
// This query returns results where the content in field "message" contains the term "Ticketcreation" and results that contain the term "OrderApproval" in any fieldsIf you want to get results in which one field contains either one search term or the other, group the terms in parentheses:
message: (Ticketcreation OR OrderApproval)
// This query returns results where the content in field "message" contains the term "Ticketcreation" or the term "OrderApproval"; an equivalent of this query is
message:Ticketcreation OR message:OrderApprovalBoolean Operators
The Boolean operators and, or and not are supported by DQL:
error OR onUnhandledErrorDQL is not case sensitive, e.g. OR and or are the same.
Multiple grouping levels are possible:
message: ((error OR onUnhandledError) AND NOT arrow_Relation)You can search for “not equal” by using not and the field name:
not service: ticketsystem
// This query returns results where the content in field "service" is not "ticketsystem", but also results where field "service" is empty or not presentservice:* and not service:ticketsystem
// This query returns results where the content in field "service" is not "ticketsystem", but contains other contentWildcards
DQL supports wildcards (only * is supported) in search terms and field names:
message: create*
m*ss*: cre*Related Documentation: