New announcements for Serverless, Network, RUM, and more from Dash! New announcements from Dash!

Log Analytics

Overview

Log analytics extend the log search page with log aggregation and split capabilities for troubleshooting and monitoring. You can access the analytics page from any log explorer view by clicking on the “Analytics” icon next to the search query bar.

You can control:

  • the query that filters the set of logs to analyze
  • the dimensions over which to split data
  • the visualization method for aggregates and splits

From an analytics visualization, you can, additionally:

  • create a widget in a dashboard out of that visualization
  • create a monitor out of that query
  • deep dive into subsets of the log list, depending on the interactions that the visualization enables

Save a log analytics view with the “Save As” button. You can load your teammates’ saved views from the “Saved Views” tab.

Build an analytics query

Use the query to control what’s displayed in your Log Analytics:

  1. Choose a Measure or Facet to graph. Measure lets you choose the aggregation function whereas Facet displays the unique count.

  2. Select the aggregation function for the Measure you want to graph:

  3. Use Tag or Facet to split your graph.

  4. Choose to display either the X top or bottom values according to the selected measure.

  5. Choose the Timesteps graph. Changing the global timeframe changes the list of available Timesteps values.

Visualizations

Select a Log Analytics visualization type using the graph selector:

Available visualizations:

Visualize the evolution of a single measure (or a facet unique count of values) over a selected time frame, and (optionally) split by an available facet.

You have additional display options for timeseries:

  • whether you display lines, bars, or areas
  • data stacking option, by value, or by percentage
  • color set

Noteworthy facts about stacking:

  • Stacking is available only for query requests with a split.
  • Stacking options are for bar and area displays only. Line displays are always overlapping.
  • When you use a toplist option that hides part of your data, stacking does not show the total overall; rather, it shows only the subtotal for the top/bottom series.
  • Stacking may not make sense when you have non-unique values in the split facet.
  • Stacking may not make sense for some aggregration methods for measures.

The following timeseries Log Analytics shows: The evolution of the top 5 URL Paths according to the number of unique Client IPs over the last month.

Visualize the top values from a facet according to the chosen measure:

The following Top List Log Analytics shows: The evolution of the top 5 URL Paths according to the number of unique Client IPs over the last month.

Visualize the top values from a facet according to a chosen measure (the first measure you choose in the list), and display the value of additional measures for elements appearing in this top. Update search query or drill through logs corresponding to either dimension.

The following Table Log Analytics shows: The evolution of the top Status Codes according to their Throughput, along with the number of unique Client IP and over the last 15 minutes.

Select or click on a section of the graph to either zoom in the graph or see the list of logs corresponding to your selection:

view logs

How aggregations work behind the scenes

Datadog computes an aggregation (whether it is a mean, a sum, a percentile, etc.) by using the set of logs included in the targeted time frame.

Let’s illustrate this on a fictive bar timeline where each bar represents a time interval. In this example, Datadog creates one aggregation for each of the time intervals for the entire set of logs. Note that log events are not necessarily uniformly time-distributed, so you can not necessarily create aggregations for the same amount of logs.

In the following example, each dot represents one log event. The X-axis is the timestamp of the log, and the Y-axis is the value of a duration attribute borne by logs. The timeseries displays a maximum-aggregation. Datadog displays a timeline with a rollout parameter; for example, there are 4 bars for the whole time frame.

top list example

Further Reading