About the Logs app
Monitor and analyze log data Copied
ITRS Analytics Logs app provides a dedicated workspace for monitoring, investigating, and analyzing log data published to the platform. It helps you easily discover log sources, filter log messages and related entities, and view detailed log entries in a structured way. The app also supports saving and reusing investigations, making it easier to share, revisit, and manage common log queries across teams.
Within the broader ITRS Analytics solution, Logs sits between platform data services and day-to-day operational workflows. The app uses platform services such as log query, entity, and key-value store service to retrieve log data, identify matching log sources, and persist saved filter configurations.
The app is intended for the following user groups:
- Operators and support engineers investigating incidents and service behavior
- SRE and observability teams correlating log activity across entities and log sources
- Platform administrators and advanced users managing reusable searches and shared filters
- Internal developers validating log output during development and testing
Prerequisites Copied
Before using or deploying the Logs app, make sure the following prerequisites are available:
- ITRS Analytics 2.18.0 or later
- ITRS Web Console installed before the Logs UI app
Use case scenarios Copied
The Logs app addresses a common operational problem: large volumes of distributed log data are difficult to isolate, interpret, and reuse during troubleshooting. Without a focused log workflow, teams spend too much time switching between tools, recreating searches, and manually sharing investigation context.
Key business benefits include:
- Faster incident investigation by combining source discovery, time selection, filtering, and log entry review in one Web Console experience.
- Improved operational efficiency through reusable saved filters instead of rebuilding the same searches repeatedly.
- Better collaboration by allowing users to share or publish filters and distribute direct links to known investigations.
- Reduced troubleshooting noise through structured filtering by entity, log name, message terms, namespace, severity, trace identifiers, and attributes.
- Better scalability for teams that need a consistent log workflow embedded in the wider ITRS Analytics platform.
Why this solution matters:
- It is integrated directly into the Web Console rather than being a standalone utility.
- It combines both source-level filtering and message-level filtering in a single workflow.
- It supports operational reuse through save, clone, import, export, and access-control capabilities.
- It uses platform services and permissions already present in the wider ITRS Analytics ecosystem.
The following scenarios describe the two primary ways you can interact with the Logs app in the Web Console.
Investigate log activity for an entity or service Copied
Use this scenario when you need to narrow a large log data set to the entries that matter for a current incident, service check, or root-cause investigation.
-
Open Logs from the Web Console navigation.
-
Set the global time range using the Web Console date picker.
-
In the filter panel, add one or more of the following:
- A message search
- An entity filter
- A log source namespace or log source name
-
Open Advanced options if you need to refine the result set further by namespace, severity, trace identifiers, or attributes.
-
Select one or more matching log files from the returned log sources.
-
Review the log entries table.
-
Optionally:
- Use the in-table search to jump between matching lines
- Enable line wrapping for long messages
- Show the Log Volume Timeline to identify spikes or quieter periods
- Use Force refresh to invalidate cached results and rerun the latest queries
Expected outcome:
- You can quickly move from broad discovery to a focused, time-bounded set of log entries.
- The timeline view helps identify bursts of activity before drilling into individual messages.
- The workflow is especially useful for short-lived incidents, service restarts, and error bursts.
Message search behavior:
- Unquoted terms are treated as exact tokens
- Quoted values are treated as phrases or substring matches
- Prefix a term with
!to negate it
Example:
error "connection refused" !debug
Save, share, and reuse a proven investigation filter Copied
Use this scenario when a log search needs to be repeated by the same user or shared with other teams.
-
Build and test a filter that returns the required logs.
-
Select Save to store the filter configuration with a name and optional description.
-
Reopen the filter later from the Open a log filter action.
-
If the filter should be reused by others, open Manage Access and choose one of the following:
- Keep it private.
- Share the private filter through a direct link.
- Publish it as a public filter.
-
If you need to move the filter between environments or keep a backup, use:
- Export to download the filter as JSON.
- Import to load a previously exported filter.
-
If a new variation is required, use Clone and modify the copy without changing the original.
Expected outcome:
- Teams can standardize common troubleshooting patterns.
- Investigations become easier to repeat during recurring incidents or change validation.
- Shared filters reduce manual handover effort between support, operations, and engineering teams.
Configuration and setup Copied
Log data filter and fields Copied
The Logs app helps you find relevant log files, select the sources to inspect, and review the returned log entries within the chosen time range.
- View a preview list of matching log files for the selected time range while working in the filter editor.
- See matching log files ordered by the number of matching log entries, with the highest-volume matches shown first by default.
- Refine results using primary and advanced filters, including message content, entity filters, log file namespace or name, severity, traces, and attributes.
- See the matching log file preview update automatically as filter criteria change.
- Expand the visible preview list with Load more, up to a maximum of 100 matching log files.
- Select one or more log files and open their entries in the main results table, with support for viewing up to 5 log sources at the same time.
- Show or hide the Log Volume Timeline chart to visualize log activity across the selected time range, and zoom the chart to update the active Web Console time window.
- Search within the log entries table by using Find in messages, with next and previous navigation between matches.
- Toggle message line wrapping to improve readability for long log messages.
- Scroll through additional pages of log entries automatically when a single log source is selected. When multiple log sources are selected, view up to the configured page size per source without paging.
- Configure column visibility in the log entries table, with the grid state stored locally for reuse in later sessions.
- Copy an individual log entry row to the clipboard in JSON format for offline review or sharing.
Log message search syntax Copied
The Logs app supports two message-search styles in the Search messages field. Search terms can also be negated with ! and shows the following behavior:
- Searches are case-sensitive.
- Unquoted terms are treated as token matches.
- Double-quoted terms are treated as phrase or substring matches.
- Multiple terms can be combined in a single search.
- Combined terms are evaluated together, so the search narrows the result set.
- Prefixing a token or quoted phrase with
!negates that term.
Token matching Copied
Use unquoted words for token matching. Note that non-alphanumeric characters at the beginning and end of each word are ignored.
Examples:
| Log message text | Search input | Match? | Note |
|---|---|---|---|
| INFO - log message | log | ✅ | Token matches |
| INFO - log message | log message | ✅ | Multiple tokens can be combined |
| INFO - log message | mess | ❌ | Partial token does not match |
| INFO - log message | LOG | ❌ | Search is case-sensitive |
| INFO - log message | message log | ✅ | Tokens can be entered in a different order |
| INFO - log message | log#%&_-( | ✅ | Verified by functional tests |
| INFO - log message | [INFO] | ✅ | Verified by functional tests |
Phrase or substring matching Copied
Use double quotes for phrase or substring matching. With this search type, alphanumeric characters are not ignored.
Examples:
| Log message text | Search input | Match? | Note |
|---|---|---|---|
| INFO - log message | “log” | ✅ | Substring matches |
| INFO - log message | “log mess” | ✅ | Phrase matches |
| INFO - log message | “mess” | ✅ | Substring matches |
| INFO - log message | “LOG” | ❌ | Search is case-sensitive |
| INFO - log message | “message log” | ❌ | Sequence not found |
| INFO - log message | “[INFO]” | ❌ | Verified by functional tests |
Mixed terms and negation Copied
Unquoted tokens and quoted phrases can be mixed in the same search.
Examples:
| Example log message text | Search input | Match? |
|---|---|---|
| INFO - log message | “log mess” INFO | ✅ |
| INFO - log message | log message | ✅ |
| INFO - log message | !INFO | ❌ |
| INFO - log message | !“log” | ❌ |
| INFO - log message | !ERROR !“lag” | ✅ |
| INFO - log message | !LOG | ✅ |
Example log filters Copied
The following examples show practical filter combinations that you can adapt for use in the Logs app. Replace placeholder values such as <namespace>, <log-file-name>, <trace-id>, <span-id>, and <host-name> with values from your own environment.
| Use case | Filter fields | Example value |
|---|---|---|
| Investigate application errors | Severity | Error, Critical |
| Log file namespace | <namespace> |
|
| Log file name | <log-file-name> |
|
| Message search | error exception |
|
| Investigate timeout issues | Severity | Warning, Error |
| Message search | timeout retry |
|
| Attribute key | service.name |
|
| Attribute value | <service-name> |
|
| Investigate an exact failure message | Message search | "connection refused" |
| Log file name | <log-file-name> |
|
| Investigate trace-linked log activity | Trace ID | <trace-id> |
| Span ID | <span-id> |
|
| Investigate logs from a specific host | Attribute key | host.name |
| Key match | Exact |
|
| Attribute value | <host-name> |
|
| Value match | Exact |
|
| Exclude noisy messages | Message search | error !debug !health |
Example message search inputs Copied
The following examples can be entered directly in the Search messages field.
Token matching examples Copied
| Search goal | Search input | Result |
|---|---|---|
Find messages containing the token error |
error |
Matches log messages containing the token error. |
Find messages containing both timeout and retry |
timeout retry |
Matches messages containing both tokens. |
Exclude messages containing debug |
!debug |
Excludes log messages containing the token debug. |
| Find errors but exclude retries | error !retry |
Matches error messages that do not contain retry. |
Phrase or substring matching examples Copied
| Search goal | Search input | Result |
|---|---|---|
Find the phrase connection refused |
"connection refused" |
Matches messages containing that phrase or substring. |
Find the phrase out of memory |
"out of memory" |
Matches messages containing that exact text. |
| Exclude a known phrase | !"health check" |
Excludes messages containing the phrase health check. |
Mixed matching examples Copied
| Search goal | Search input | Result |
|---|---|---|
| Find errors containing a specific phrase | error "connection refused" |
Matches messages containing the token error and the phrase connection refused. |
| Find timeouts but exclude a phrase | timeout !"temporary failure" |
Matches messages with timeout but excludes those containing temporary failure. |
| Find warnings about disk space | warn "disk space" |
Matches messages with the token warn and the phrase disk space. |
Trace ID and Span ID support Copied
If ingested log data includes tracing metadata, the Logs UI provides Trace ID and Span ID fields in the Traces section of the filter editor. These fields can be used to narrow the result set to log entries associated with a specific trace or span.
This is useful when logs are enriched by tracing-enabled components such as OpenTelemetry-based pipelines or applications that emit trace context with log records.
Log message attributes Copied
If ingested log records include structured attributes, the Log attributes section allows you to filter on attribute keys and values.
The UI supports the following attribute match types for both key and value filters:
ExactExact (Ignore Case)ContainsContains (Ignore Case)Starts WithStarts With (Ignore Case)
You can add multiple attribute filters, remove individual filters, or clear all configured attribute filters from the panel.
Security And IAM settings Copied
The app enables Web Platform IAM by default. The following properties are defined in the source as default values:
obcerv.webplatform.iam.enabled=true
obcerv.webplatform.iam.realm=obcerv
obcerv.webplatform.iam.server-url=http://keycloak:8080/auth
obcerv.webplatform.iam.platform-client-id=obcerv-platform
obcerv.webplatform.iam.public-key-cache-duration=P1D
These settings are relevant when:
- Integrating Logs into a secured Web Console environment
- Validating local authentication behavior
- Adjusting realm or Keycloak endpoint details for a specific deployment
Manage log filter permissions Copied
Share log filter Copied
Sharing is managed through the Share options butt and the Manage Access dialog.
- Open an existing saved filter, or create a new filter and save it first.
- Click Share options in the upper-right area of the main panel.
- In the Manage Access dialog, choose how the filter should be shared:
- Keep the filter private
- Mark the filter as Shared to allow access by direct link
- Make the filter Public so that it can be discovered by other users
- If the filter is shared or public, copy the generated link from the dialog.
- Save the access changes.
Notes:
- The Share options button is only available for saved filters. If you click it while working with a saveable unsaved filter, the UI prompts you to save the filter first.
- Public filters can be discovered by other users.
- Shared private filters can be accessed by users who have the direct link, but they are not editable through sharing alone.
Add log filter Copied
A log filter can be saved when at least one filter criterion other than the global time range has been configured.
- Enter the required log filtering criteria.
- Click the Save icon in the upper-right area of the main panel.
- In the Save filter dialog, enter a required Name and, optionally, a Description.
- Click Save.
Update log filter Copied
- Open the saved filter that you want to update.
- Change one or more filter settings.
- Click the Update icon in the upper-right area of the main panel.
- Confirm the update when prompted.
Clone log filter Copied
- Open the saved filter that you want to clone.
- Click the ellipsis menu in the upper-right area of the main panel and select Clone.
You can also clone a saved filter from the filter chooser row menu.
After cloning, the application opens a copy of the filter as a new unsaved draft. The copied filter name is prefilled and can then be saved as a separate filter.
Rename log filter Copied
The Rename reuses the same save/update dialog used for editing saved filter details.
- Open the saved filter that you want to rename.
- Click the ellipsis menu in the upper-right area of the main panel and select Rename.
- Update the filter name and, if required, the description in the dialog.
- Save the changes.
Import log filter Copied
Importing a filter does not save it automatically. The imported filter is loaded into the application first and must then be saved explicitly.
- Click the ellipsis menu in the upper-right area of the main panel and select Import.
- Select the log filter JSON file to import.
- After a successful import, the filter is loaded into the editor as a draft.
- Save the imported filter if you want to persist it as a saved filter.
Export log filter Copied
- Open the saved filter that you want to export.
- Click the ellipsis menu in the upper-right area of the main panel and select Export.
- The filter is downloaded as a JSON file.
You can also export a filter from the row-level action menu in the Open a log filter dialog.
Delete log filter Copied
- Open the saved filter that you want to delete.
- Click the ellipsis menu in the upper-right area of the main panel and select Delete.
- Confirm the deletion in the confirmation dialog.
You can also delete a filter from the row-level action menu in the Open a log filter dialog.