Skip to main content

Explore Your Data

Overview

Exploring your log data should be fun and fast! We've made it easy to:

  • Query billions of events in seconds, with powerful operators, including regexp matching
  • See histogram graphs of matching events, with dynamic instant zoom
  • Explore event data efficiently, even in large result sets with billions of matching events
  • Quickly find the broader context around a particular log event (e.g., unfiltered logs around an error event)
  • Explore custom fields by frequency, and easily filter over them
  • Understand the frequency and shape of the common types of matching events (e.g., what are my most common errors?)
  • Analyze patterns of values for any custom field in events matching your query (e.g., what is the histogram of http status codes?)

To get started, click the Explore Data sidebar button:
Configure Sidebar Button

The query bar is at the top, with options to quickly select the desired time range, severity filter, and organization scope.

Each time you perform a query it will create a new history point in your browser navigation, so you can use back/forward to quickly navigate as you explore your log data.

Interactive histogram

The histogram will help you quickly see patterns in query results, including what is the worst severity event for each time bucket, as indicated by the colored indicator at the top of that bucket of time. You can use the mouse wheel or pinch to zoom in on the histogram to see more detail for a particular section of time.


The histogram also shows which events are currently loaded into memory in the detail view (dark blue area) and which events are currently shown on the screen (light yellow area). Tap/click on the histogram to view matching log events for a desired point and time. You can also long press/tap to begin selecting a window of time to zoom into.

Field list pane

The bottom left area shows a pane with a list of fields, including standard fields, custom fields, and any auto-extracted fields (these fields will start with x.). The field type and an estimate of the field frequency is also shown. For example:

fields pane

You can tap/click any field to copy an LQL expression template to easily filter over that field. For any custom field it will automatically append the proper field type suffix to avoid ambiguities in referring to the field.

Event grid

The bottom area is the event grid displaying events matching the current query. Use the keyboard (arrow keys, home/end), mouse wheel, or gestures to navigate.

The event results grid is dynamic and will load earlier or later events (if available) as you scroll through the result set. It will keep thousands of events loaded into memory around your current exploration point for fast browsing of log data.

By default the event grid shows a single line per log event. You can show multi-line log events (up to 50 lines) using the button:
button to toggle event line spacing

Event details pane

An event details pane is on the bottom right to explore the values of all standard and custom fields associated with any given event.

You can double tap an event to show or hide the full details for that event, with all custom fields. You can also show or hide event details using the button:
button to show or hide event details

Use the detailed event view to search for unfiltered context surrounding the event using the button:
button to search surrounding context

You can also use the copy button to copy all event details to the clipboard. Long press (or right click) the copy button to show additional format options.

Pattern analysis

A powerful feature is to use the Patterns tab in the results area to calculate histograms over any custom field.
Patterns analysis tab

AutoClassify populates the pattern field so that you can do an analysis to understand which log patterns are the most common. For example, you could filter to show only error events, and then do a pattern analysis to see which errors are the most common.

You can also choose to do generic pattern analysis over any field by using the button:
button to select pattern analysis field

For example, you could analyze the percentage of events by severity:

For example, you could do a pattern analysis over the x.http.response.status field to understand the frequency of different HTTP response codes for events matching a certain condition (e.g., for a particular API endpoint by filtering on x.http.request.url).