Analyzing logs with Chronograf

Warning! This page documents an old version of Chronograf, which is no longer actively developed. Chronograf v1.7 is the most recent stable version of Chronograf.

Chronograf gives you the ability to view, search, filter, visualize, and analyze log information from a variety of sources. This helps to recognize and diagnose patterns, then quickly dive into logged events that lead up to events.

Logging setup

Logs data is a first class citizen in InfluxDB and is populated using available log-related Telegraf input plugins:

syslog

Viewing logs in Chronograf

Chronograf has a dedicated log viewer accessed by clicking the “Log Viewer” button in the left navigation.

Log viewer in the left nav

The log viewer provides a detailed histogram showing the time-based distribution of log entries color-coded by log severity. It also includes a live stream of logs that can be searched, filtered, and paused to analyze specific time ranges. Logs are pulled from the syslog measurement. Other log inputs and alternate log measurement options will be available in future updates.

Chronograf log viewer

Searching and filtering logs

Logs are searched using keywords or regular expressions. They can also be filtered by clicking values in the log table such as severity or facility. Any tag values included with the log entry can be used as a filter.

Searching and filtering logs

Note: The log search field is case-sensitive.

To remove filters, click the × next to the tag key by which you no longer want to filter.

Selecting specific times

In the log viewer, you can select time ranges from which to view logs. By default, logs are streamed and displayed relative to “now,” but it is possible to view logs from a past window of time. Timeframe selection allows you to go to to a specific event and see logs both preceding and following that event. When viewing logs from a previous time window, first select the target time, then select the offset. The offset is used to define the upper and lower thresholds of the window from which logs are pulled.

Selecting time ranges

Configuring the log viewer

The log viewer can be customized to fit your specific needs. Open the log viewer configuration options by clicking the gear button in the top right corner of the log viewer.

Log viewer configuration options

Severity colors

Every log severity is assigned a color which is used in the display of log entries. To customize colors, select a color from the available color dropdown. Once done, click the “Save” button to apply the changes.

Table columns

Columns in the log viewer are auto-populated with all fields and tags associated with your log data. Each column can be reordered, renamed, and hidden or shown.

Severity format

“Severity Format” specifies how the severity of log entries is displayed in your log table. Below are the options and how they appear in the log table:

Severity Format Display
Dot Log serverity format 'Dot'
Dot + Text Log serverity format 'Dot + Text'
Text Log serverity format 'Text'

Logs in dashboards

An incredibly powerful way to analyze log data is by creating dashboards that include log data. This is possible by using the Table visualization type to display log data in your dashboard.

Correlating logs with other metrics

This type of visualization allows you to quickly identify anomalies in other metrics and see logs associated with those anomalies.