Fortinet black logo

Administration Guide

Home FortiAnalyzer BigData 7.0.3 Administration Guide
7.0.3
7.4.0
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.1
6.4.6
6.4.5
6.2.5
6.2.1

Explore logs

Explore logs

A log query has two main components:

  • a log stream selector; and
  • a search expression.
Choosing a log stream

Choose a log stream by clicking the Log labels button next to the search bar, and select from the available log streams in your time range (the default time range is Last 1 hour).

If there are no logs in the selected time range, the log label of the log will not show up in the label list.

Entering a search expression

You can start a search query by using the search field’s autocomplete feature. Enter a curly bracket { in the search field to see a suggested list of labels. You can browse through the suggested labels with your cursor or arrow keys and press the Tab key to select a label. Press the Enter key to execute the query.

The log stream selector is wrapped inside curly braces {} with the key and value of selecting labels. You can select multiple labels by using commas, for example:

{app_fortidata_name="ingestion-server", host="blade-10-0-1-10"}

This example selects the ingestion-server log on host blade-10-0-1-10.

After you choose a selector, you can follow up by entering a search expression to filter the results further. Search expressions can be in a text or regex expression, for example:

{app_fortidata_name="data-server"} |= "ERROR"

{app_fortidata_name="ingestion-server"} |~ "Starting.*engine"

{host="blade-10-0-1-10"} != "INFO"

You can chain the operators in order to search the log lines and satisfy all filters. For example:

{app_fortidata_name="ingestion-server"} |= "ERROR" != "timeout"

Supported operators:

  • |= line contains a string.
  • != line does not contain a string.
  • |~ line matches regular expression.
  • !~ line does not match regular expression.

For more details, refer to the Loki query language (LogQL) documentation.

Log query results

After you run a query, search result are presented as either a list of log rows and/or a bar graph. For results with a bar graph, the time is placed on the x-axis while log count is on the y-axis. You can click and drag on the bar chart to narrow down the time range.

You can also click the Live button to enter Live Tailing mode and see logs changes in real-time.

If you use a search expression, you can see the context for each filtered result by hovering your mouse over a result and clicking the Show Context link by each result.

When you click Show Context, a new window loads enabling you to see the context of that particular result.

Previous
Next

Explore logs

A log query has two main components:

  • a log stream selector; and
  • a search expression.
Choosing a log stream

Choose a log stream by clicking the Log labels button next to the search bar, and select from the available log streams in your time range (the default time range is Last 1 hour).

If there are no logs in the selected time range, the log label of the log will not show up in the label list.

Entering a search expression

You can start a search query by using the search field’s autocomplete feature. Enter a curly bracket { in the search field to see a suggested list of labels. You can browse through the suggested labels with your cursor or arrow keys and press the Tab key to select a label. Press the Enter key to execute the query.

The log stream selector is wrapped inside curly braces {} with the key and value of selecting labels. You can select multiple labels by using commas, for example:

{app_fortidata_name="ingestion-server", host="blade-10-0-1-10"}

This example selects the ingestion-server log on host blade-10-0-1-10.

After you choose a selector, you can follow up by entering a search expression to filter the results further. Search expressions can be in a text or regex expression, for example:

{app_fortidata_name="data-server"} |= "ERROR"

{app_fortidata_name="ingestion-server"} |~ "Starting.*engine"

{host="blade-10-0-1-10"} != "INFO"

You can chain the operators in order to search the log lines and satisfy all filters. For example:

{app_fortidata_name="ingestion-server"} |= "ERROR" != "timeout"

Supported operators:

  • |= line contains a string.
  • != line does not contain a string.
  • |~ line matches regular expression.
  • !~ line does not match regular expression.

For more details, refer to the Loki query language (LogQL) documentation.

Log query results

After you run a query, search result are presented as either a list of log rows and/or a bar graph. For results with a bar graph, the time is placed on the x-axis while log count is on the y-axis. You can click and drag on the bar chart to narrow down the time range.

You can also click the Live button to enter Live Tailing mode and see logs changes in real-time.

If you use a search expression, you can see the context for each filtered result by hovering your mouse over a result and clicking the Show Context link by each result.

When you click Show Context, a new window loads enabling you to see the context of that particular result.

Previous
Next