Homeโ€บ๐Ÿ” DQL & Data Accessโ€บModule 82 min read ยท 9/21

Log Viewer โ†’ DQL Log Queries

Hands-on2 exercises

Log Viewer โ†’ DQL Log Queries

Gen2 had a dedicated Log Viewer with point-and-click filtering. Gen3 replaces it with DQL queries in Notebooks or Dashboards โ€” more powerful but requires knowing the query syntax.

Key Field Names

Field                   Description                     โš ๏ธ Common Mistake
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
content                 Log message body                 NOT "message" or "body"
loglevel                Severity (ERROR, WARN, INFO)     NOT "log.level"
timestamp               When the log was created
dt.process_group.detected_name  Process group name
dt.entity.host          Host entity ID

Common Log Queries

// Find error logs (replaces Log Viewer filter)
fetch logs, from:now() - 1h
| filter loglevel == "ERROR"
| fields timestamp, content, dt.process_group.detected_name
| sort timestamp desc
| limit 100

// Search for a keyword (replaces Log Viewer search)
fetch logs, from:now() - 1h
| filter contains(content, "connection timeout")
| fields timestamp, content, loglevel

// Error rate over time (replaces Log Viewer chart)
fetch logs, from:now() - 4h
| summarize total = count(), errors = countIf(loglevel == "ERROR"),
    by:{time_bucket = bin(timestamp, 15m)}
| fieldsAdd error_rate = (errors * 100.0) / total
| sort time_bucket asc

// Top error messages
fetch logs, from:now() - 24h
| filter loglevel == "ERROR"
| summarize error_count = count(), by:{content}
| sort error_count desc
| limit 20
๐Ÿ›  Try it

Write a DQL query that calculates the error rate per 15-minute bucket over the last 2 hours.

extension.yamlYAML
Loading...

JSON Log Parsing

Many apps emit JSON logs. Use parse to extract fields:

fetch logs, from:now() - 1h
| filter loglevel == "ERROR"
| parse content, "JSON:log"
| fieldsAdd message = log[msg], error = log[error], level = log[level]
| fields timestamp, level, message, error
| sort timestamp desc

Pattern Detection

fetch logs, from:now() - 2h
| filter loglevel == "ERROR"
| fieldsAdd
    has_exception = if(matchesPhrase(content, "exception"), true, else: false),
    has_timeout = if(matchesPhrase(content, "timeout"), true, else: false),
    has_oom = if(matchesPhrase(content, "OutOfMemory"), true, else: false)
| summarize count(),
    exceptions = countIf(has_exception == true),
    timeouts = countIf(has_timeout == true),
    ooms = countIf(has_oom == true),
    by:{dt.process_group.detected_name}
โ† PreviousUSQL โ†’ DQL for RUM DataNext โ†’Classic โ†’ Gen3 Dashboards