Legacy Log Search
This topic contains content that supports Original Log Search.
Use this topic to learn more about features that are available in Original Log Search only. The features listed here are not currently available in New Log Search.
A visual search allows you to gain visibility into your log data without having to perform any configuration. With a visual search, you can quickly find information in your logs, visualize large amounts of data over a wide time range, filter your data, and take action on important events. You can also add new visualizations and configure them to fit your needs.
A visual search automatically parses your log data and selects the two most frequently occurring keys in the selected logs. InsightIDR generates visualizations based on these keys and displays them on the Visualizations tab.
Add new visualizations
You can add a new visualization of your selected logs from the Visualizations tab.
To add a visualization:
- Click the Add Card dropdown.
- Enter a key to visualize.
- Select a graph type.
- To save your visualization, click Add Card again.
Configure your visualizations
You can configure the name, calculation, and chart type of visualizations displayed in the Visualizations tab.
To configure a visualization:
- Click the Settings button for the visualization you want to edit.
Interact with your visualizations
Visualizations are interactive, which means you can update your query by selecting a data point on any of your cards to filter the search results. Cards automatically update based on how they relate to your selection.
You can use a loose search to find partial and case insensitive matches in query results.
A loose search can be useful if you don’t know the full keyword you want to match, or aren’t sure about the case of the keyword you’re looking for.
For example, if you are searching for the term
admin without using a loose search, you could search for this keyword in a few different ways:
- Match the complete word and case for this log line for returned results.
- Use the regex expression
where(/admin/i)to find case insensitive and partial matches.
where(user = /.*admin.*/i)for case insensitive and partial matching against a specific field.
A loose search allows you to write a query and click a button for easier log searching.
To use a loose search:
- Enter your query in the search bar.
- While in Simple mode or using a visual search, select the Case insensitive & partial matching checkbox in the top right.
If you prefer to search in Advanced mode, add
loose after the search parameters in the
where() clause. For example,
where(user = admin, loose).
Using log search, you can progressively narrow down your log data until you discover the precise information you need to take action. The entry inspector allows you to granularly analyze a single log entry and build queries from it. You can see a preview of a queries’ results and filter your log data without typing a query.
From a specific log entry, you can drill down into the keys and values for the entry, and apply actions to it, such as:
- Analyzing and previewing results
- Searching for and excluding data from your results
- Creating pattern alerts
The primary benefit of the entry inspector is that you can drill into the details of a log entry without modifying your initial log query. The initial log query persists until you update it. You can visualize your log data and find values that you want to search or exclude from your results. Ultimately, the entry inspector makes it easy for you to narrow down your data.
To access the entry inspector:
- Click the Info icon next to the log entry.
The highlighted line appears in a panel where you can view the individual fields in the entry.
Preview queries with the entry inspector
After you select a log entry, you can use analytic functions for each key-value pair to take actions such as previewing results or adding items to a query. For example, you can use analytic functions to preview the values logged across multiple login attempts.
To access preview analytic functions, go to the Actions dropdown and choose Preview from the Group by this key option.
A bar chart appears and shows you the results for the key name or value.
Search your data with the entry inspector
After you preview your query results, you can add or exclude values to filter your logs to a specific set of data. For example, you might be interested in only invalid logins, so you can leverage the search actions for that specific value.
Use the Add this value to your query action to add a value to your search filter.
Additionally, if there is information you don’t want to include, such as valid logins, you can exclude it from the query. Use the Exclude this value from your query action to exclude a specific value from the search filter.
Run a search from the entry inspector
After you’ve built a new search filter, the Run search button becomes active. You can run the search to filter your log entries with the new query.
Log search shows you the results from your new query.
You can also copy the raw log to your clipboard or generate a shareable link to easily share the entry inspector data with your team.
Create a Log Pattern Detection Rule
From the entry inspector, you can also create a Log Pattern Detection Rule for a key-value pair. Use the Create pattern alert action to create a Log Pattern Detection Rule.
You can create a Log Pattern Detection Rule to let you know when a log matches an exact pattern. This is helpful when you need to monitor events that are important to you, such as server errors, critical exceptions, and general performance issues.
Delete logs and log sets
Depending on your user permissions, you can permanently delete logs and log sets. However, there might be some restrictions or prerequisites to consider.
If a log is associated with an active event source, collector, or network sensor, you must first delete that corresponding entity from either the Data Collection or Sensor Management screens.
If you do not have permissions, you might need to ask your administrator to delete the event source, collector, or network sensor before you can delete the log or log set.
Restrictions on deleting log sets
A log set can't be deleted if it's generated by a collector-based source. Only log sets that are directly sent to Log Search can be deleted.
To delete logs and log sets:
- In Log Search, from the list of logs or log sets, identify the items to delete, hover your cursor over it, and click the ellipsis that appears.
- From the dropdown menu, click Delete Log or Delete Log Set.
Data will be permanently deleted
This action permanently deletes the log or log set and its data. If you need to retain the log data for security, investigation, or compliance purposes, carefully consider whether it should be deleted.