- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
During an incident investigation, you might need to run complex queries, such as combining attributes from multiple log sources or transforming log data, to analyze your logs. Use Log Workspaces to run queries to:
You can create a workspace from the Workspaces page or from the Log Explorer.
On the Log Workspaces page:
In the Log Explorer:
In addition to the default columns, you can add your own columns to your workspace:
You can add the following cells to:
Cells that depend on other cells are automatically updated when one of the cells it depends on is changed.
At the bottom of your workspace, click any of the cell tiles to add it to your workspace. After adding a cell, you can click the dataset on the left side of your workspace page to go directly to that cell.
You can add a logs query or a reference table as a data source.
select only timestamp, customer id, transaction id from the transaction logs
.Add the Visualization cell to display your data as a:
status:error
. If you are using an analysis cell as your data source, you can also filter the data in SQL first.Click the Transformation tile to add a cell for filtering, aggregating, and extracting data.
The following is an example dataset:
timestamp | host | message |
---|---|---|
May 29 11:09:28.000 | shopist.internal | Submitted order for customer 21392 |
May 29 10:59:29.000 | shopist.internal | Submitted order for customer 38554 |
May 29 10:58:54.000 | shopist.internal | Submitted order for customer 32200 |
Use the following grok syntax to extract the customer ID from the message and add it to a new column called customer_id
:
Submitted order for customer %{notSpace:customer_id}`
This is the resulting dataset in the transformation cell after the extraction:
timestamp | host | message | customer_id |
---|---|---|---|
May 29 11:09:28.000 | shopist.internal | Submitted order for customer 21392 | 21392 |
May 29 10:59:29.000 | shopist.internal | Submitted order for customer 38554 | 38554 |
May 29 10:58:54.000 | shopist.internal | Submitted order for customer 32200 | 32200 |
Click the Text cell to add a markdown cell so you can add information and notes.
This example workspace has:
Three data sources:
trade_start_logs
trade_execution_logs
trading_platform_users
Three derived datasets, which are the results of data that has been transformed from filtering, grouping, or querying using SQL:
parsed_execution_logs
transaction_record
transaction_record_with_names
One treemap visualization.
This diagram shows the different transformation and analysis cells the data sources go through.
The example starts off with two logs data sources:
trade_start_logs
trade_execution_logs
The next cell in the workspace is the transform cell parsed_execution_logs
. It uses the following grok parsing syntax to extract the transaction ID from the message
column of the trade_execution_logs
dataset and adds the transaction ID to a new column called transaction_id
.
transaction %{notSpace:transaction_id}
An example of the resulting parsed_execution_logs
dataset:
timestamp | host | message | transaction_id |
---|---|---|---|
May 29 11:09:28.000 | shopist.internal | Executing trade for transaction 56519 | 56519 |
May 29 10:59:29.000 | shopist.internal | Executing trade for transaction 23269 | 23269 |
May 29 10:58:54.000 | shopist.internal | Executing trade for transaction 96870 | 96870 |
May 31 12:20:01.152 | shopist.internal | Executing trade for transaction 80207 | 80207 |
The analysis cell transaction_record
uses the following SQL command to select specific columns from the trade_start_logs
dataset and the trade_execution_logs
, renames the status INFO
to OK
, and then joins the two datasets.
SELECT
start_logs.timestamp,
start_logs.customer_id,
start_logs.transaction_id,
start_logs.dollar_value,
CASE
WHEN executed_logs.status = 'INFO' THEN 'OK'
ELSE executed_logs.status
END AS status
FROM
trade_start_logs AS start_logs
JOIN
trade_execution_logs AS executed_logs
ON
start_logs.transaction_id = executed_logs.transaction_id;
An example of the resulting transaction_record
dataset:
timestamp | customer_id | transaction_id | dollar_value | status |
---|---|---|---|---|
May 29 11:09:28.000 | 92446 | 085cc56c-a54f | 838.32 | OK |
May 29 10:59:29.000 | 78037 | b1fad476-fd4f | 479.96 | OK |
May 29 10:58:54.000 | 47694 | cb23d1a7-c0cb | 703.71 | OK |
May 31 12:20:01.152 | 80207 | 2c75b835-4194 | 386.21 | ERROR |
Then the reference table trading_platform_users
is added as a data source:
customer_name | customer_id | account_status |
---|---|---|
Meghan Key | 92446 | verified |
Anthony Gill | 78037 | verified |
Tanya Mejia | 47694 | verified |
Michael Kaiser | 80207 | fraudulent |
The analysis cell transaction_record_with_names
runs the following SQL command to take the customer name and account status from trading_platform_users
, appending it as columns, and then joins it with the transaction_records
dataset:
SELECT tr.timestamp, tr.customer_id, tpu.customer_name, tpu.account_status, tr.transaction_id, tr.dollar_value, tr.status
FROM transaction_record AS tr
LEFT JOIN trading_platform_users AS tpu ON tr.customer_id = tpu.customer_id;
An example of the resulting transaction_record_with_names
dataset:
timestamp | customer_id | customer_name | account_status | transaction_id | dollar_value | status |
---|---|---|---|---|---|---|
May 29 11:09:28.000 | 92446 | Meghan Key | verified | 085cc56c-a54f | 838.32 | OK |
May 29 10:59:29.000 | 78037 | Anthony Gill | verified | b1fad476-fd4f | 479.96 | OK |
May 29 10:58:54.000 | 47694 | Tanya Mejia | verified | cb23d1a7-c0cb | 703.71 | OK |
May 31 12:20:01.152 | 80207 | Michael Kaiser | fraudulent | 2c75b835-4194 | 386.21 | ERROR |
Finally, a treemap visualization cell is created with the transaction_record_with_names
dataset filtered for status:error
logs and grouped by dollar_value
, account_status
, and customer_name
.
추가 유용한 문서, 링크 및 기사: