Using log search, you can progressively narrow down your log data until you discover the precise information you need to take action. Entry Inspector is a feature within log search that allows you to granularly analyze a single log entry and build search queries from it. You can easily see a preview of a queries’ results and filter your log data without typing a query.
From a specific log entry, you can drill down into the keys and values for the entry, and apply actions to it, such as:
- Analyzing and previewing results
- Searching for and excluding data from your results
- Creating pattern alerts
The primary benefit of Entry Inspector is that you can drill into the details of a log entry without modifying your initial log query. The initial log query persists until you update it. You can easily visualize your log data and find values that you want to search or exclude from your results. Ultimately, Entry Inspector makes it easy for you to narrow down your data.
Access Entry Inspector
To access Entry Inspector, click the Info icon next to the log entry.
The highlighted line appears in a panel and you can easily view the individual fields in the entry.
Preview Queries with Entry Inspector
After you select a log entry, you can use analytic functions for each key and value pair in a log entry to do things like preview results or add items to a query. For example, you can use analytic functions to preview a breakdown the different values logged across multiple login attempts.
To access preview analytic functions, go to the Actions dropdown and choose Preview from the Group by this key option.
A bar chart appears and shows you a breakdown of the results for the key name or value.
Search Your Data with Entry Inspector
After you preview your query results, you can add or exclude values to filter your log data down to show a specific set of data. For example, you may only be interested in invalid logins, so you can leverage the search actions for that specific value.
Use the Add this value to your query action to add a value to your search filter.
Additionally, if there is information you don’t want to include, such as valid logins, you can exclude it from the query. Use the Exclude this value from your query action to exclude a specific value from the search filter.
Run a Search from Entry Inspector
After you’ve built a new search filter, the Run search button becomes active. You can run the search to filter your log entries with the new query.
The log search will show you the results from your new query.
Create a Pattern Alert
From the Entry Inspector, you can also create a pattern alert Pattern Detection Alerts for a key value. Choosing this action from the Actions menu in Entry Inspector opens the Pattern Detection Alert configuration window.
You can create a pattern alert to let you know when a log matches an exact pattern. This is helpful when you need to monitor events that are important to you, like server errors, critical exceptions, and general performance issues.