Log Details¶

In the log list, click the expand icon on the left side of a single log to slide out the details page for that log. You can view detailed information about the log, including the time it was generated, host, source, service, content, extended fields, context, and more.

View Complete Log¶

When logs are reported to TrueWatch, if a single log data exceeds 1M, the system will split it into multiple logs according to the 1M standard. For example, a 2.5M log will be split into 3 logs, 1M, 1M, and 0.5M respectively. The completeness of the split logs can be viewed through the following fields:

Field	Type	Description
`__truncated_id`	string	Represents the unique identifier of the log. Multiple logs split from the same original log share the same `__truncated_id`, with the prefix LT_xxx.
`__truncated_count`	number	Represents the total number of logs after splitting.
`__truncated_number`	number	Represents the split order of the log, starting from 0, where 0 indicates the first piece of the log.

On the log details page, if the current log has been split into multiple pieces, a View Complete Log button will appear in the upper right corner. Clicking this button will open a new page listing all related logs in their split order. The page will also highlight the log selected before the jump with color for quick location of upstream and downstream logs.

TOBY AI AI Error Analysis¶

TrueWatch provides the capability to analyze error logs with one click. It leverages large language models to automatically extract key information from logs, combines online search engines and operational knowledge bases to quickly analyze potential fault causes and provide preliminary solutions.

Filter all logs with status error.
Click on a single data entry to expand its details page.
Click TOBY AI AI Error Analysis in the upper right corner.
You can then start the anomaly analysis.

Error Details¶

If the current log contains error_stack or error_message field information, the system will provide you with error details related to that log.

To view more log error information, you can go to Log Error Tracing.

Attribute Fields¶

Click on attribute fields for quick filtering and viewing. You can view host, process, trace, and container data related to the log.

Field	Description
Filter Field Value	Add this field to the log explorer to view all log data related to this field.
Exclude Field Value	Add this field to the log explorer to view other related log data except for this field value.
Add to Display Columns	Add this field to the explorer list for viewing.
Copy	Copy this field to the clipboard.
View Related Containers	View all containers related to this host.
View Related Processes	View all processes related to this host.
View Related Traces	View all traces related to this host.
View Related Inspection Data	View all inspection data related to this host.

Log Content¶

The log content automatically switches between JSON and text viewing modes based on the message type. If the message field does not exist in the log, the log content section is not displayed. The log content supports expand and collapse, defaulting to expanded state. When collapsed, only one line height is displayed.
For logs with source:bpf_net_l4_log, JSON and packet viewing modes are automatically provided. The packet mode displays client, server, time, and other information, and supports switching between absolute and relative time display, defaulting to absolute time. The switched configuration is saved in the local browser.

JSON Search¶

In JSON-formatted logs, JSON search can be performed on both key and value. After clicking, the explorer search bar will add the format @key:value for searching.

For multi-level JSON data, use . to represent the hierarchical relationship. For example, @key1.key2:value means searching for the value corresponding to key2 under key1.

For more details, refer to JSON Search.

Extended Fields¶

In the search bar, you can enter field names or values for quick search and location.
After checking the field alias, you can view it after the field name.

Hover over an extended field, click the dropdown icon, and you can choose to perform the following operations on that field:
- Filter Field Value
- Exclude Field Value
- Add to Display Columns
- Perform Dimensional Analysis: Click to jump to Analysis Mode > Time Series Chart.
- Copy

Note

If you choose to add a field to the display columns, an icon identifier will appear in the list for easy distinction.

Context Logs¶

The context query function of the log service helps you trace related records before and after an abnormal log occurred through a timeline, quickly locating the root cause of the problem.

On the log details page, you can directly view the context logs of this data entry.
The left dropdown allows you to select an index to filter corresponding data.
Data sorting.
Directly jump to a new page of the log explorer based on the current details page.
Display Item Configuration.
Settings.

Supplementary Understanding of Related Logic

According to the returned data, 50 pieces of data are loaded each time upon scrolling.

How is the returned data queried?

Prerequisite: Does the log have the log_read_lines field? If it exists, follow logic a; if not, follow logic b.

a. Get the log_read_lines value of the current log, and apply the filter log_read_lines >= {{log_read_lines.value-30}} and log_read_lines <= {{log_read_lines.value +30}}.

DQL Example: Current log line number = 1354170.

Then:

L::RE(`.*`):(`message`) { `index` = 'default' and `host` = "ip-172-31-204-89.cn-northwest-1" AND `source` = "kodo-log" AND `service` = "kodo-inner" AND `filename` = "0.log" and `log_read_lines` >= 1354140 and `log_read_lines` <= 1354200}  sorder by log_read_lines

b. Get the current log time, and derive the query start and end times by moving forward/backward.

Start Time: 5 minutes before the current log time.
End Time: Take the time of the 50th log after moving forward 50 logs from the current log (·). If time = current log time, then use time+1 microsecond as the end time. If time ≠ current log time, then use time as the end time.

Log Context Page¶

Click to jump to the log context page. You can manage all current data through the following operations:

Enter text in the search box to search and locate data.
Click the button on the side to switch the system's default auto-wrap to content overflow mode. In this mode, each log is displayed as a single line, and you can scroll left and right as needed.
Directly locate to the current log.
Go to top/bottom.
Load 100 logs up/down.

Correlation Analysis¶

The system supports correlation analysis of log data. In addition to error details, extended fields, and context logs, you can also get a one-stop understanding of the host, container, network, etc., corresponding to the log.

Built-in Pages¶

For built-in pages like Host, Container, Pod, etc., you can perform the following operations:

(Taking the "Host" built-in page as an example)

Edit the fields displayed on the current page. The system will automatically match corresponding data based on the fields.
Choose to jump to the metric view or host details page.
Filter the time range.

Note

Only workspace administrators can modify the display fields of built-in pages. It is recommended to configure common fields. If the page is shared by multiple explorers, field modifications will take effect in real-time synchronization.

For example: Configuring the "index" field here. If this field exists in the log, it will be displayed normally. However, if the trace explorer lacks this field, the corresponding value cannot be displayed.

Built-in Views¶

In addition to the views displayed by default by the system here, you can also bind user views.

Enter the built-in view binding page.
View the default associated fields. You can choose to keep or delete fields, and you can also add new key:value fields.
Select a view.
After binding is complete, you can view the bound built-in view in the host object details. You can click the jump button to go to the corresponding built-in view page.