Search: Log Messages

The Log Search console allows you to create complex queries that can help you refine your log search results to messages most relevant to your investigation. The search field allows you to type a SQL-like query statement using available fields and operators. If needed, you can use subsequent search fields to add OR statements and create a search that tests for multiple conditions. As you type a search statement, a warning icon () appears to the left of the search field until the query contains valid syntax. You cannot submit a search with invalid syntax.

The Log Search page includes the Search Assistant, which displays available options to help you create search statements and aggregations as you type. The Search Assistant helps you create statements for searches and for aggregations.

Search by date and time range

The date range drop-down menu allows you to display all log messages received during a selected date range and within a time range for the selected dates. Select from the following to display incidents that occurred within the specified date and time range:

  • last hour (default)
  • last 6 hours
  • last 12 hours
  • last 24 hours
  • last 7 days
  • last 30 days

You can also click within the calendar to create a custom date and time range.

The Alert Logic console displays time in your local time zone.

Refine your search results

The Log Search feature includes the WHERE and PROJECTIONfields which allow you to create SQL-like searches and aggregations to narrow and organize the list of search results. You can use the Search Assistant to click and choose search and aggregation criteria and their available operators.

Use the Search Assistant

The Search Assistant, which appears by default, helps you create searches and aggregations by presenting suggestions as you type in the WHERE field. Click a value in the Namespace column, and then select an available operator for the selected namespace. The Search Assistant provides quotation marks where you must type a needed search term, or it provides a list of suggested search terms. You can click additional namespaces to create AND statements, and you can use OR statements to search for multiple criteria.

The Search Assistant lists all saved searches created by users in your customer account. Select a search in the Saved Searches column, and then click ADD TO SEARCH to populate the search fields. For more information about saved and scheduled searches, see Save and schedule searches.

If the Search Assistant does not display saved and scheduled searches, press ESC.

Add search terms from a log message

If you want perform a log search based on a specific log message in a list of search results, Alert Logic allows you to click within the log message preview to add criteria to the WHERE field and create a more detailed search.

To add search terms from a log message:

  1. In the list of search results, click a log message from which you want to create a search.
  2. Click namespace items in the message, or listed across the bottom of the message, that you want included as a search term.
Valid search term entries highlight when you hover your cursor over them.

You can add multiple search terms, and the log search automatically inserts the required AND between them.

Aggregate search results with projections

The Log Search PROJECTIONS field allows you to aggregate your search results. You can specify the columns of data to display in the list of search results, and specify how Log Search groups and orders search results.

By default, Alert Logic displays search results in descending order by time received and log message. (SELECT [Time Received], [Message] ORDER BY [Time Received] DESC). The SELECT projection allows you to specify the fields you want to display in the search results. You can add projections to customize the organization of search results.

If you want the results list of a search for a specific user name to show the user name, and the number of log messages that include the user name, and order the list by the number of messages, and group the results by Host Name, use the following projection statement:
SELECT [User Name], COUNT (Message) AS "MessageCount" ORDER BY "MessageCount" DESC GROUP BY [Host Name]

Save and schedule searches

You can save and schedule any search for frequent use. To ensure every saved search runs correctly, the Alert Logic console does not allow you to save a search until you enter at least one valid search statement in the search bar. The Search Assistant lists all saved searches created by users in your customer account. Scheduled searches appear with a calendar icon on the Saved Searches list.

If the Search Assistant does not display saved and scheduled searches, press ESC.

To save a search:

  1. Enter a valid search query, and then click SAVE.
  2. In the Save Search slideout panel, provide a name for the search.
  3. Click SAVE.

To save and schedule a search:

  1. Enter a valid search query, and then click SAVE.
  2. In the Save Search slideout panel, provide a name for the search.
  3. Click +ADD SCHEDULE, and then select values for the following:
    • Schedule search to run — Allows you to select the frequency for the search. The options are:
      • Once
      • Daily
      • Weekly
      • Monthly
    • Search time range — Allows you to specify a time range for which you want data
    • At time — Allows you to specify the time you want the search to run.
  4. Click SAVE SCHEDULE.
If you want the saved search to follow more than one schedule, click +ADD SCHEDULE to add an additional schedule for the search. You can add multiple schedules for each saved search.
  1. Click SAVE.

To perform a saved search:

  1. In the Search Assistant, select a search from the Saved Searches column.
  2. Click + ADD TO SEARCH to populate the search fields.
  3. On the log search menu bar, click SEARCH.

Edit a saved search

Select a saved search to edit the search details or the search schedule.

View and export scheduled search results

The Search Assistant lists recently scheduled searches and provides the day and time the search was last run. If you click a recently scheduled search, you can perform the following tasks:

  • View the results of the search
  • Export the results of the search to a CSV file

Analyze log messages

After you perform a log message search, you can view the details of log messages that appear in the search results. Click a message to view a summary of the log message, view the log source properties, bookmark the message, create another log search, or export the log message summary to a CSV file.

Click Open to view the details of the selected log message in a separate browser tab.

Open a log message

The details page for a selected log message displays additional information about the log message, log source properties and message fields. You can use this information to further refine your log search, export the information about this log message to a CSV file, or create an incident.

Export log messages

Multiple views within log search allow you to export either a list of search results, or details of a specific search to a .CSV file.

  • If you select one or more search results in the list, you can click the export icon () in the blue bar on the lower right of your screen to export selected log search results to a .CSV file. The column headers and information in the .CSV file match the columns displayed in the results list on the Log Search page.
  • If you open a log message to view details in a separate browser tab, you can you can click the export icon () to export selected log search details to a .CSV file.

Create an incident

The log search page allows you to create an incident from a log message.

Bookmark log messages

The bookmark feature allows you to specify one or more log messages you want to investigate, and then display only those log messages in the list of search results.

To bookmark a single log message entry:

  1. Click Open
  2. Click the bookmark icon ().

To bookmark multiple log message entries:

  1. Select the check box to the left of each log message you want to bookmark.
  2. In the blue bar on the lower right of your screen, click the bookmark icon ().

After you bookmark log messages, you can click the bookmark icon () above the search results to display only bookmarked log messages in the results list.

Bookmarks appear only for the current session.