Viewing the logs for an alert on the Log viewer

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing the logs for an alert on the Log viewer

    The Log viewer in the Service Operations Workspace allows you to efficiently browse and analyze logs related to alerts. You can filter logs by timestamp, search for specific log texts, and visualize anomaly occurrences over designated time periods. This tool is essential for identifying key metrics and defining Log Analytics alert rules based on the log data.

    Show full answer Show less

    Key Features

    • Log Analysis: View logs with a chart displaying the frequency of anomalous log lines surrounding a Log Analytics alert.
    • Customizable Display: Personalize your Log viewer by filtering results and customizing the displayed columns to focus on relevant data.
    • Search Optimization: Modify and save search queries to enhance log analysis and better understand alert causes.
    • Alert Definition: Identify relationships in log data to establish types of alerts that should be triggered.

    Key Outcomes

    By using the Log viewer, you can gain insights into alert-related logs, customize your data view, and create effective alert rules. The ability to filter and save searches enables a more focused analysis, leading to improved IT operations management and quicker resolution of incidents.

    The Log viewer in the Service Operations Workspace enables you to browse the logs by timestamp or time range, to search for particular log text, and to visualize the frequency of anomaly occurrences in a particular time period. If you discover an important metric in the log data, you can use it to define a Log Analytics alert rule.

    The Log viewer displays a chart of the frequency of anomalous log lines during one minute before and one minute after the Log Analytics alert. In addition, the viewer lists the associated log lines.

    Table 1. Information on the Log viewer table
    Column Description
    Time Timestamp of the log line in the format that the source uses. If no value appears, then check the source type structure of the raw data.
    Application service Application service in which the metric was found.
    Component Logical component of the application service that generated the event. Multiple CIs can sometimes perform the same function.
    Message Inner message of the raw log line that contains the text of the system-generated log message regarding the nature of the occurrence.
    Level Type of event. The available values, in order of importance, are:
    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Informational
    • Debug
    Host Host identifier from the log line that consists of the hostname or IP address of the endpoint.
    Log message The raw log message without the header.
    Note:
    By default, the Raw message column does not appear in the Log viewer table. You can display this column by selecting it from the Filters pane. For more information, see Customize the Log viewer table.
    You can personalize the displayed data on the Log viewer:
    Note:
    These features are supported in the Health Log Analytics application, Version 20.0.11 - July 2021, and the Health Log Analytics Viewer application, Version 20.0.4 - July 2021, available from the ServiceNow Store.

    As you analyze the logs for an alert, you can modify the search query to fine-tune the search, and save useful searches. For more information, see Define, save, and share a search of log data.

    If you discover important relationships in the log data, you can define the type of alert that the data should trigger. For more information, see Add a Log Analytics alert rule.