Analyzing log lines to identify the root cause of an alert

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • When Health Log Analytics identifies an anomaly, viewing the logs that surround the anomaly provides clues about the state of faulting systems. This information can help you to identify the root cause of an alert.

    The Surrounding logs tab lists the log lines that were generated one minute before and one second after the anomaly occurred. The log lines are related to the metric or pattern that created the alert. The list is filtered to the relevant component.

    Logs that surround the anomaly are retained and available for 30 days after the creation of the alert. The system does not delete these logs when the global retention period of logs expires. When the retention period expires, the surrounding logs are available only on the Surrounding logs tab and not in the Log viewer.

    Table 1. Information on the Surrounding logs tab
    Column Description
    Time Timestamp of the log line in the format that the source uses. If no value appears, then check the source type structure of the raw data.
    Application service Service instance in which the metric was found.
    Component Logical component of the service instance that generated the event. Multiple CIs can sometimes perform the same function.
    Message Inner message of the raw log line that contains the text of the system-generated log message regarding the nature of the occurrence.
    Level Type of event. The available values, in order of importance, are:
    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Informational
    • Debug
    Host Host identifier from the log line that consists of the hostname or IP address of the endpoint.
    Log message The raw log message without the header.