This section describes how to browse the log messages collected on SSB.
Using the search interface explains how to use and customize the search interface, describes the log message data that is available on SSB, and provides examples of the the wildcard and boolean search operators you can use.
Browsing encrypted logspaces describes how to decrypt and browse encrypted logspaces.
Creating custom statistics from log data explains how to create custom statistics from the available log data, and how to save them for reports.
Creating content-based alerts describes how to create content-based alerts.
Additional tools provides information about functionalities that allow you to obtain further data about log messages from pattern database alerts and reports.
SSB has a search interface for browsing the collected log messages. You can choose the logspace, enter a search expression, specify the timeframe, and browse the results here.
This section walks you through the main parts of the search interface.
To access the search interface, navigate to Search > Logspaces.
Figure 132: Search > Logspaces — The log message search interface
To choose the appropriate logspace, use the Logspace name menu. Note that you cannot access plain text logspaces on the SSB search interface.
For more information on the available logspaces, and how to configure them, see "Storing messages on SSB" in the Administration Guide.
On the log message search interface, you can use the Search expression field to search the full list of log messages. Search expressions are case insensitive, with the exception of operators (like AND, OR, etc.), which must always be capitalized. Click the icon, or see Using complex search queries for more details.
When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. For details on how to configure the delimiters used for indexing, see "Creating logstores" in the Administration Guide.
You can search in indexed logspaces even if log traffic is disabled.
You can create complex searches using wildcards and boolean expressions. For more information and practical examples, see Using complex search queries.
SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:
Displays the number of log messages in the selected time interval.
Figure 133: Search > Logspaces — Log message overview
Use the and icons to zoom, and the arrows to display the previous or the next intervals. To change the timeframe, you can:
Change the beginning and the end date.
Click and drag the pointer across a period on the calendar bars to select a specific interval and zoom in.
Use the Jump to last option to select the last 15 minutes, hour, 6 hours, day, or week.
Hovering the mouse above a bar displays the number of results, and the start and end date of the period that the bar represents. Click a bar to display the results of that period in the table. Use Shift+Click to select multiple bars.
The search interface provides an action bar that allows you to:
Fetch a link to a search query.
Export search results into a csv file.
Create a content-based alert.
It also displays the following information:
Figure 134: Search > Logspaces: Action bar
On clicking , the Bookmark links panel is displayed:
Figure 135: Search > Logspaces — Bookmark links panel
Bookmark links allow you to fetch a link to a search query so that you can:
Share your search queries with colleagues, who can then access the relevant search results in one click.
Save frequently used search queries as bookmark links.
The link in the Current view field provides a direct link to your search query and its results currently displayed on your screen. Whenever you open the bookmarked link from your browser, it will always return the same, fixed set of results. The start and end date that you set when executing the search query and fetching the link from the Bookmark links panel remain fixed.
The Last menu, on the other hand, allows you to specify an interval of time, for example, the last 15 minutes or the last hour, and fetch search results generated within that period. The search results that you access using this link may differ on two different occasions as the start point of the specified interval is always the moment you open the bookmarked link from your browser.
On clicking , the CSV export panel is displayed:
Figure 136: Search > Logspaces — CSV export panel
Clicking exports your search results into a CSV file. This saves the table as a text file containing comma-separated values. Note that if an error occurs when exporting the data, the exported CSV file will include a line (usually as the last line of the file) starting with a zero and the details of the problem, for example, 0<description_of_the_error>.
Do not use Download CSV export to export large amounts of data, as exporting data can be very slow, especially if the system is under heavy load. If you regularly need a large portion of your data in plain text format, consider using the SSB RPC API (for details, see "The SSB RPC API" in the Administration Guide), or sharing the log files on the network and processing them with external tools (for details, see "Accessing log files across the network" in the Administration Guide).
The alert functionality enables you to set up content-based alerts for search expressions of your choice. You will receive an alert when a match is found between the search expression and the contents of a log message. Note that the alerts are generated for only those log messages that are stored in the logspace(s) for which you set up the alert.
For detailed information on content-based alerts, see "Creating content-based alerts" in the Administration Guide.
When any user action results in an error condition (for example, if you enter an invalid search expression, display statistics for a column that has not been indexed), an error or warning notification will be displayed on the action bar. Errors are shown in red letters, warnings are displayed in amber.
If there is more than one notification, the latest will be displayed and the number of notifications triggered will also be indicated. Clicking the notification will open an Errors and warnings panel:
Figure 137: Search > Logspaces — Errors and warnings panel
The Errors and warnings panel displays a list of errors/warnings with their timestamp and details of their cause.
You can clear notifications one by one by clicking next to the them, or clear all of them by clicking .
After running a search query, the action bar displays the number of search results returned by the query. This is useful information when you are trying to find out how often a certain element appears in the logs.
Use the arrow keys and the Page Up and Page Down keys to navigate the listed log messages, or use the mouse wheel to scroll. You can disable mouse wheel scrolling in your User menu > Preferences. If data is too long to fit on one line, it is automatically wrapped and only the first line is displayed.
Figure 138: Search > Logspaces — List of log messages
To expand a row in the list of log messages, click . The complete log message is displayed:
Figure 139: Search > Logspaces — Viewing a single log message
Use the arrow keys to jump to the previous or the next log message.
Use the Page Up and Page Down to jump to the 10th log message before or after the currently displayed log message. You can also jump to the previous or the next log message with the mouse wheel.
If the displayed log message consists of several pages of data, you can configure the mouse wheel to be able to use it for scrolling the message vertically. To do this, navigate to User menu > Preferences, deselect Mousewheel scrolling of search results and click Set options. This will disable jumping between log messages with the mouse wheel.
You can perform the following actions:
Click any word in the message to copy it to the Search field.
Click any of the dynamic columns (name-value pairs) to add it as a column to the list of log messages.
Click any of the icons to view the statistics of the selected category.
To return to the list of all log messages, click .
To customize the data displayed on the log message search interface, complete the following steps:
Click Customize columns.
The parameters used for the columns when displaying log messages are listed under Displayed columns. All other available parameters are listed under Available static columns and Available dynamic columns.
Dynamic columns are created from structured data parameters (name-value pairs) in log messages stored on SSB. Structured data parameters are detected and added to the list of customizable columns automatically. (For more information on the structured data part of log messages, see Administration Guide.)
To export the search results into a CSV file, click on the action bar. Note that the CSV file includes all the static columns and the displayed dynamic columns.
Figure 140: Search > Logspaces > Customize columns — Customizing columns of the log message search interface
To add a static column to the Displayed columns, click .
To add a dynamic column to the Displayed columns, choose a name-value pair from Available dynamic columns and click .
The selected name generates a new, separate dynamic column with a <name> heading (where <name> is the name of the key). The relevant values are displayed in the cells of the respective column.
To remove parameters from the Visible columns, click .
To display the full content of each column (including the log messages), enable Show full content of columns.
The following information is available about the log messages:
Processed Timestamp: The date when SSB received the log message in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Timestamp: The timestamp received in the message — the time when the log message was created in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Facility: The facility that sent the message.
Priority: The priority value of the message.
Program: The application that created the message.
Pid: The program identifier of the application that created the message.
Host: The IP address or hostname of the client that sent the message to SSB.
Message: The text of the log message.
Tag: Tags assigned to the message matching certain pattern database rules.
Id: Unique ID of the message.
classifier.rule_id: ID of the pattern database rule that matched the message.
classifier.class: Description of the pattern database rule that matched the message.
Dynamic columns, created from additional name-value pairs, might also be available.