LogReduce can now be used with the timeslice operator. This allows you to visualize how signatures detected with LogReduce are changing over time.
_sourceCategory=your/category/here "error"
| timeslice by 1h
| LogReduce by _timeslice
| transpose row _timeslice column signature
Below, we can see how top errors in our checkout service have a spike at 11pm, and that the occurrence of each type of error as a percentage remains relatively stable:
LogReduce can also be applied to a specific field in a message, which works well for highly structured data like JSON. For example, if you want to analyze why an application error is occurring, you can LogReduce the message field of that JSON log:
_sourceCategory=your/category/here "error"
| json field=_raw "message" as msg
| LogReduce(msg)
You can also LogReduce the specific field by timeslice:
_sourceCategory=your/category/here "error"
| json field=_raw "message" as msg
| timeslice by 1h
| LogReduce(msg) by _timeslice
| transpose row _timeslice column signature
Comments
0 comments
Please sign in to leave a comment.