IBM Operations Analytics - Log Analysis, Version 1.3.2

Searching data

You can search ingested data such as log files for keywords. Search results are displayed in a timeline and a table format.

Before you begin

Before you can search, you must first define a data source and ensure that the log file is configured for consumption or you can load the sample data.

Procedure

From the Search workspace , click the New Search or Add Search tab to open a new search table. Enter the search query.
Optional: You can filter data source by name, description, host name, log path, or tags or enter * to do a wildcard search. To limit the extent of the search to an individual data sources and any descendant data sources, select a leaf node from the Data Sources tree ().
In the Time Filter pane, click the Time Filter list () and select the time period for which you want to search. Select Custom to specify a start time and date, and an end time and date for your search.
In the Search field, type the string for which you want to search in the log files. To view distribution information for all logs, in the Search field, type the wildcard character (*).
To search for a partial string, type an asterisk (*) at the start and end of your search string. For example, to search for strings that contain the phrase hostname, type *hostname*.

To narrow your search based on a service topology, type the service topology component on which you want to base your search, followed by a colon (:), followed by your search string. For example, service:DayTrader.
Click Search. The first search you perform after the IBM® Operations Analytics - Log Analysis processes have been restarted might take longer to complete than subsequent searches.
The user interface refreshes every 10 seconds. The updated results are displayed in the progress bar.

Maximum search results: The search returns a maximum of 1000 records by default. This limit applies only to raw searches and not facet queries. This limit can be configured in unitysetup.properties file property: MAX_SEARCH_RESULTS=1000. Do not to use a high value for the MAX_SEARCH_RESULTS parameter. When a large number of results are returned, it degrades search performance.

Results

A graph displaying the distribution of matching events in the log is displayed. Log records containing a match for your search term are also displayed in Table view.

When you search for a specific term, the term is highlighted within the individual log records to facilitate faster analysis. If you search for a partial term, each term that contains the search phrase is highlighted. Fields that contain only tagged values, in other words values that are contained within angled brackets (<>), are not highlighted. If a field contains values that are tagged and values that are not tagged, the tagged terms are removed and the remaining terms are highlighted as appropriate.

If your search spans data that is stored in the archive, IBM Operations Analytics - Log Analysis displays the initial results while it retrieves the rest of the data. You can interact with the initial search results while IBM Operations Analytics - Log Analysis generates the search results. The progress bar displays the search progress.

To display the latest results during the search, click We have more results for you. To stop the search, close the tab. To start another search while you are waiting for the first search to complete, click the Add Search tab.

What to do next

If you want to load data that contains tags and want to keep the tagging, you can disable highlighting. To disable highlighting:

Open the unitysetup.properties file.
Locate the ENABLE_KEYWORD_HIGHIGHTING property and set it to false.
Save the file.
To restart IBM Operations Analytics - Log Analysis run the following command from the <HOME>/IBM/LogAnalysis/utilities directory:
```
./unity.sh -restart
```

Feedback