Skip to content

Log Details

Click on the log list to slide out the details page of the current log, where you can view detailed information including the time the log was generated, the host, source, service, content, extended fields, and context.

View Full Log

When logs are reported to TrueWatch, if the data exceeds 1M in size, it will be split according to the 1M standard. For example, a log of 2.5M will be split into 3 logs (1M/1M/0.5M). The completeness of the split logs can be checked through the following fields:

Field
Type Description
__truncated_id string Represents the unique identifier of the log. Multiple split logs use the same __truncated_id, with the ID prefix being LT_xxx.
__truncated_count number Represents the total number of split logs.
__truncated_number number Represents the order of the split log, starting from 0, where 0 indicates the first log.

On the log details page, if the current log is split into multiple logs, a View Full Log button will appear in the upper right corner. Clicking this button will open a new page and list all related logs in the order of the split, with the log selected before the jump highlighted in color to help locate the upstream and downstream logs.

Obsy AI Error Analysis

TrueWatch provides the ability to parse error logs with one click. It uses a large model to automatically extract key information from the logs, combined with online search engines and operation knowledge bases, to quickly analyze possible fault causes and provide preliminary solutions.

  1. Filter all logs with the status error;
  2. Click on a single data entry to expand the details page;
  3. Click Obsy AI Error Analysis in the upper right corner;
  4. Start the anomaly analysis.

Error Details

If the current log contains error_stack or error_message field information, the system will provide you with error details related to this log.

To view more log error information, go to Log Error Tracing.

Attribute Fields

Click on attribute fields to quickly filter and view host, process, trace, and container data related to the log.

Field Description
Filter Field Value Add this field to the log explorer to view all log data related to this field.
Reverse Filter Field Value Add this field to the log explorer to view all log data except those related to this field.
Add to Display Column Add this field to the explorer list for viewing.
Copy Copy this field to the clipboard.
View Related Containers View all containers related to this host.
View Related Processes View all processes related to this host.
View Related Traces View all traces related to this host.
View Related Inspections View all inspection data related to this host.

Log Content

  • The log content automatically switches between JSON and text viewing modes based on the message type. If the message field does not exist in the log, the log content section will not be displayed. The log content supports expanding and collapsing, with the default being expanded. When collapsed, only one line of height is displayed.

  • For logs with source:bpf_net_l4_log, both JSON and packet viewing modes are automatically provided. The packet mode displays client, server, time, and other information, and supports switching between absolute and relative time display, with the default being absolute time. The switched configuration is saved in the local browser.

JSON Search

In JSON format logs, both key and value can be searched. After clicking, the explorer search bar will add the format @key:value for searching.

For multi-level JSON data, use . to represent the hierarchical relationship. For example, @key1.key2:value indicates searching for the value corresponding to key2 under key1.

For more details, refer to JSON Search.

Extended Fields

  • In the search bar, you can enter the field name or value to quickly search and locate;

  • After checking the field alias, you can view it after the field name;

  • Hover over an extended field, click the dropdown icon, and choose to perform the following operations on this field:

    • Filter Field Value
    • Reverse Filter Field Value
    • Add to Display Column
    • Perform Dimension Analysis: Click to jump to Analysis Mode > Time Series Chart
    • Copy
Note

If you choose to add a field to the display column, an icon will appear in the list for easy identification.

View Context Logs

The context query function of the log service helps you trace related records before and after the occurrence of an abnormal log through a time clue, quickly locating the root cause of the problem.

  • On the log details page, you can directly view the context logs of the current data content;
  • You can sort the data by clicking the "Time" list;
  • The left dropdown box allows you to select an index to filter out the corresponding data;
  • Jump to open a new page for context logs.
Supplementary Understanding of Related Logic

According to the returned data, 50 pieces of data are loaded each time you scroll.

How is the returned data queried?

Prerequisite: Does the log have the log_read_lines field? If it exists, follow logic a; if it does not, follow logic b.

a. Get the log_read_lines value of the current log and filter with log_read_lines >= {{log_read_lines.value-30}} and log_read_lines <= {{log_read_lines.value +30}}

DQL Example: Current log line number = 1354170

Then:

L::RE(`.*`):(`message`) { `index` = 'default' and `host` = "ip-172-31-204-89.cn-northwest-1" AND `source` = "kodo-log" AND `service` = "kodo-inner" AND `filename` = "0.log" and `log_read_lines` >= 1354140 and `log_read_lines` <= 1354200}  sorder by log_read_lines

b. Get the current log time, and derive the query start time and end time by moving forward/backward

  • Start Time: Move 5 minutes backward from the current log time;

  • End Time: Take the time of the 50th log after moving forward from the current log time (·). If time = current log time, then use time+1 microsecond as the end time; if time ≠ current log time, then use time as the end time.

Context Log Details Page

Click to jump to the details page. You can manage all current data through the following operations:

  • Enter text in the search box to search and locate data;
  • Click the button on the side to switch the system's default automatic line wrapping to content overflow mode. In this mode, each log is displayed as one line, and you can scroll left and right to view as needed.

Correlation Analysis

The system supports correlation analysis of log data. In addition to error details, extended fields, and context logs, you can also get a one-stop understanding of the host, container, network, etc., corresponding to the log.

Built-in Pages

For built-in pages such as Host, Container, Pod, etc., you can perform the following operations:

(Take the "Host" built-in page as an example)

  • Edit the current page display fields, and the system will automatically match the corresponding data based on the fields;
  • Choose to jump to the metric view or host details page;
  • Filter the time range.
Note

Only workspace administrators can modify the display fields of built-in pages. It is recommended to configure common fields. If this page is shared by multiple explorers, field modifications will take effect in real time.

For example: If you configure the "index" field here, the log can be displayed normally if it contains this field. However, if the trace explorer lacks this field, the corresponding value cannot be displayed.

Built-in Views

In addition to the views displayed by default in the system, you can also bind user views.

  1. Enter the built-in view binding page;
  2. View the default associated fields. You can choose to keep or delete fields, and also add new key:value fields;
  3. Select the view;
  4. After completing the binding, you can view the bound built-in views in the host object details. You can click the jump button to go to the corresponding built-in view page.