Skip to main content
Version: Cloud

Secondary Storage

Overview

Store logs for an extended duration in secondary storage and utilize them later for auditing, troubleshooting, performance tuning, and detecting patterns or anomalies.

Enable Secondary Storage

By default, secondary storage is deactivated for a plugin/document type, requiring manual activation to enable it.

Click here to know how to enable secondary storage for a plugin/document type.

View Logs in Secondary Storage


  1. The Logs stored in the secondary storage can be viewed in the Secondary Storage pane of the Log Management section.

  2. The Secondary Storage pane has two tabs:

    • Live Data
    • Search History

Live Data

  • In the Live Data pane, histogram data up to 30 minutes before the time of access will be displayed. The first 1000 records for logs are displayed and pagination is enabled for records more than 20.

  • The logs can be expanded or collapsed to view or copy the logs in a JSON format.

  • The user can choose from different log types. The corresponding histogram and log data will be fetched for the changed log type.

  • Zooming on histogram data will fetch the respective zoomed data for histogram and logs. Resetting zoom results in the fetching of data up to the last 30 minutes from the time of access.

Search History

In the Search History pane, you can access all the logs from the moment secondary storage enabled for the plugin and Document Type. You use the following components of the search history pane to access the logs you require.

Log Type

Enable you to filter the logs based on the log type. It simplifies the task of navigating through large volumes of log data, facilitating quicker identification.

Search History

The Search History component stores your search activities and retains them for a specified duration, enabling easy access to previously searched logs.

Filter

The Filter component allows you to set filters for previously searched logs, facilitating more precise and targeted log retrieval. By utilizing this feature, you can quickly narrow down your search results.

Data Range

Specify a particular date range, enabling you to focus on logs generated within that specific timeframe

Advance Settings

Enable retention period for the performed searches.

Execute a search jobs in the search tab and view matching logs and histogram data for the executed search.

Search Query Details

To perform a search job, use the provided operators.

List of Operators

  • Key value Search (:)

    Example

    Key:Value
  • AND operation (&&)

    Example

    Instance_id && responseCode: 400
  • OR operation (||)

    Example

    responseCode: 200||requestSuccess: true
  • Phrase searches (" ")

    Example

    message: "Recevied Disconnect from"
  • Greater than (>)

    Example

    bytes:>8000
  • Lesser than (<)

    Example

    bytes:<8000
  • Greater than or equal (>=)

    Example

    bytes:>=8000
  • Lesser than or equal (<=)

    Example

    bytes:<8000
  • Grouping (())

    Example

    (bytes:(>2000 && <=5000)||Latency:>21) && _plugin:jmeter
  • NOT operation (-)

    Example

    _tag_instanceid: (-id1)
  • Single character wildcard (?)

    Example

    _plugin: jmet??
  • Zero or more characters wildcard (*)

    Example

    message: *exception
  • Pattern searches (//)

    Example

    message: /port [0-9]+/
  • Escape sequence ( \ )

    Example

    message: sudo\:linux

Examples for Search Query Details

Example 1

Dataset

1.  {      
"pid": 3245,
"upstream_response_time": 10,
"URL": "https://www.elastic.co/guide/en/elasticsearch/reference"
}

2. {
"pid": 2445,
"upstream_response_time": 4,
"URL": "https://www.elastic.co/guide/en/machine-learning"
}

3. {
"pid": 3246,
"upstream_response_time": 2,
"URL": "https://docker-hub/pricing"
}

4. {
"message": "docker image built",
"pid": 1000
}

Search Query Detail

Search QueryOutput
pid: 3?4?1and 3


Search QueryOutput
upstream_response_time:>5 && elasticsearch1


Search QueryOutput
elastic && machine\-learningNone


Search QueryOutput
www.elastic.co && machine\-learning2


Search QueryOutput
https\:\/\/docker-hub\/pricing3 and 4

Example 2

Dataset

1.  {      
"message": "Disconnected from 118.24.197.243 port 35662 [preauth]"
}

2. {
"message": "Unregistered Authentication Agent for unix-session:7 (system bus name :1.89, object path/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_IN) (disconnected from bus)"
}

Search Query Detail

Search QueryOutput
"disconnected from"1 and 2


Search QueryOutput
message: (disconnected && from && port)1


Search QueryOutput
message: (disconnect* port)1


Search QueryOutput
message: (disconnected && -port)2

Example 3

Dataset

1.  {      
"responseCode": "400",
"responseMessage": Null
}

2. {
"message": "request received from IP1 and redirected to IP2",
"responseCode": "200"
}

3. {
"message": "ValueError(…)"
}

4. {
"message": "ArithmeticException(…)"
}

Search Query Detail

Search QueryOutput
responseCode: 400 || message: (*exception* || *error*))1, 3 and 4


Search QueryOutput
-(responseCode: 400 || message: (*exception* || *error*))2

Example 4

Dataset


1. {
"message": "No identification string for 118.24.197.243"
}

2. {
"message": "No identification string for 119:25.200.255"
}

3. {
"message": "Received bad request from 119:25.200.255"
}

4. {
"message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.195.182.3"
}

5. {
"message": "Authentication failure for user admin"
}

Search Query Detail

Search QueryOutput
message: /[0-9]+.[0-9]+.[0-9]+.[0-9]+/1,2, 3 and 4


Search QueryOutput
(message: /119.25.[0-9]+.[0-9]+/)2 and 3


Search QueryOutput
auth* && failure && -/[0-9]+.[0-9]+.[0-9]+.[0-9]+/5


Example 5

Dataset

1.  {
"message": "centos:PWD=/home/centos ; USER=root ; COMMAND=/bin/rm -rf jmeter.log"
}

Search Query Detail

Search QueryOutput
message.keyword: "centos\:PWD\=\/home\/centos ; USER\=root ; COMMAND\=\/bin\/rm -rf jmeter.log"1


Search QueryOutput
message.keyword: *PWD\=\/home\/centos*1


Search QueryOutput
message: (centos && user && command)1