Grouping Logs Into Patterns

Overview

When aggregating indexed logs by Patterns, logs that have a message with similar structures are grouped altogether. Optionally, select one to three faceted fields to pre-aggregate your logs into groups before patterns are detected within these groupings.

The Patterns view is helpful for detecting and filtering noisy error patterns that could cause you to miss other issues. The pattern detection is based on 10,000 log samples. Refine your search to see patterns limited to a specific subset of logs.

Patterns support the List visualization. Clicking a pattern in the list opens the pattern side panel from which you can:

• Access a sample of logs from that pattern
• Append the search filter to scope it down to logs from this pattern only
• Get a kickstart for a grok parsing rule to extract structured information logs of that pattern

Pattern Inspector

Use the Pattern Inspector to get a visual breakdown of the underlying values of a log pattern’s aggregation based on your search query.

For example, if you are investigating an issue, you could see how many hosts are involved or what regions or data centers are impacted.

1. Navigate to the Log Explorer.
2. Click Patterns in the Group into section. In the list of patterns, the aggregate values in the message section are highlighted in yellow. Hover over an aggregate value to get a preview of the visual distribution of its values.
3. Click on an aggregate value to open the log pattern’s side panel and see more details in the Pattern Inspector tab.

Further reading

Additional helpful documentation, links, and articles:

Learn about the Log ExplorerDOCUMENTATION Learn how to analyze your logsDOCUMENTATION