Main Table
The groups table displays the result of the analysis by listing the groups and the corresponding values for the following default fields:
More Topics:
| Column | Details |
|---|---|
|
Field (s) |
The field that’s used to analyze the group |
|
Count |
The number of log records in the group |
|
Start Time |
The start of the time period for which the logs are considered for the analysis |
|
End Time |
The end of the time period for which the logs are considered for the analysis |
|
Group Duration |
The duration of the log event for the group |
Add URLs to Link Table
You can create links using the url function of the
eval command.
Additional Topics:
In the following query, the values for Search 1, Search
2, and Search 3 are assigned URLs:
'Log Source' = 'Database Alert Logs'
| link cluster()
| where 'Potential Issue' = '1'
| nlp keywords('Cluster Sample') as 'Database Error'
| eval 'Search 1' = url('https://www.google.com/search?q=' || 'Database Error')
| eval 'Search 2' = url('https://www.google.com/search?q=' || 'Database Error', Errors)
| eval 'Search 3' = url(google, 'Database Error')
In the above analysis:
-
Search 1,Search 2, andSearch 3are now clickable Fields. Click the link to view the search results for those keywords. -
Search 2does not display the entire URL. Instead, the second parameter in theurlfunction is used to give the URL a different name, for example,Errors. -
Search 3is similar toSearch 1, but the short-cutgoogleis used to generate the URL. Instead of using the whole URL, you can use similar short-cuts.
Use URL Short-Cut with Custom Name
Consider the following example where a name is provided for the short-cut:
'Log Source' = 'Database Alert Logs'
| link cluster()
| where 'Potential Issue' = '1'
| nlp keywords('Cluster Sample') as 'Database Error'
| eval 'Search 1' = url('https://www.google.com/search?q=' || 'Database Error')
| eval 'Search 2' = url('https://www.google.com/search?q=' || 'Database Error', Errors)
| eval 'Search 3' = url(google, 'Database Error')
| eval 'Search 4' = url(google, 'Search Using Google', 'Database Error')
| eval 'Search 5' = url(duckduckgo, 'Search Using DuckDuckGo', 'Database Error')
In the above example, Search 4 is similar to Search
3 but only differs in the name given to the short-cut in Search
4. The short-cut google has the name Search
Using Google which is displayed in the table. In Search
5, the short-cut duckduckgo has the name
Search Using DuckDuckGo which is displayed in the table. For a
full list of Oracle-defined short-cuts available with the url
function, see Oracle-Defined url Short-Cuts.
Use the CVE Short-cut to Link to CVE Databases
Use the cve short-cut in the url function to create a link to
the CVE repository.
'Log Source' like '%Access Logs%'
| link 'Client Host Continent'
| addfields [ jndi | stats count as 'JNDI Count' ],
[ URI like '%context.get(%com.opensymphony.xwork2.dispatcher.httpservletresponse%' | stats count as 'GetContext Count' ]
| eval 'Threat ID' = if('JNDI Count' > 0, 'CVE-2021-44228',
'GetContext Count' > 0, 'CVE-2013-2251',
null)
| eval Description = if('JNDI Count' > 0, 'Log4j Vulnerability - ' || 'Threat ID',
'GetContext Count' > 0, 'Struts Exploit - ' || 'Threat ID',
null)
| eval CVE = url(cve, Description, 'Threat ID')
| fields -'Threat ID', -Description, -'JNDI Count', -'GetContext Count'
In the above example, the CVE column links to the CVE repository for the value of each Client Host Continent from the Access Logs.
Use the OCID Shortcut to Automatically Link to OCI Resources
Use the ocid short-cut in the url() function to create a link to a relevant page to OCI. If the resource has a specific page, then the URL would point to the direct link. Otherwise the URL would point to the Resource Query Service results for that OCID.
'Log Source' = 'OCI Audit Logs' and 'Resource ID' like 'ocid%' and
'Resource ID' not like in ('%managementsavedsearch%', '%managementdashboard%', '%organizationsentity%', '%coreservicesworkrequest%')
| eval 'Resource Type' = substr('Resource ID', 6, indexOf('Resource ID', '.', 6))
| link 'Resource Type'
| stats earliest('Resource ID') as 'Resource ID'
| eval 'OCI Resource' = url(ocid, 'Resource ID')
| sort 'Resource Type'
| fields -'Start Time', -'End Time', -Count, -'Resource ID'
In the above example, the OCID of each OCI resource type is picked up from the OCI Audit Logs.
Hide, Show, or Order the Table Columns
Use the fields target = ui command to control the fields
that should be hidden or shown in the link groups table. You can also use this command to
control the order of the fields.
Here are a few examples:
Hide all the Time fields, order the table as Size,
Log Source, Count:
* | eval 'Raw Size' = unit('Raw Size', byte)
| link 'Log Source'
| stats sum('Raw Size') as Size
| fields target = ui -'*Time', Size, 'Log Source', CountSame as above, but using multiple fields commands:
* | eval 'Raw Size' = unit('Raw Size', byte)
| link 'Log Source'
| stats sum('Raw Size') as Size
| fields target = ui -'*Time'
| fields target = ui Size, 'Log Source', Count Combination of fields and fields target = ui
(fields without target = ui performs filtering
in the backend):
* | eval 'Raw Size' = unit('Raw Size', byte)
| link 'Log Source'
| stats sum('Raw Size') as Size
| fields -'*Time'
| fields target = ui Size, 'Log Source', Count Change the Group Alias
Each row in the link table corresponds to a Group. You can change the alias for Group, Groups, and Log Records tabs.
In the Options menu, modify the Group Alias, Groups Alias, and Log Records Alias values.
The Group Alias is used when there is only one item in the main table.
Join Multiple Groups Using the Map Command
Use map command to join multiple sub-groups from the
existing linked Groups. This is useful to assign a Session ID for related events, or
to correlate events across different servers or log sources.
For example, the below query joins Out of Memory events with other events that are within 30 minutes, and colors these groups to highlight a context for the Out of Memory outage:
* | link Server, Label
| createView [ * | where Label = 'Out of Memory'
| rename Entity as 'OOM Server', 'Start Time' as 'OOM Begin Time' ] as 'Out of Memory Events'
| sort Entity, 'Start Time'
| map [ * | where Label != 'Out of Memory' and Server = 'OOM Server' and
'Start Time' >= dateAdd('OOM Begin Time', minute,-30) and 'Start Time' <= 'OOM Begin Time'
| eval Context = Yes
] using 'Out of Memory Events'
| highlightgroups color = yellow [ * | where Context = Yes ] as '30 Minutes before Out of Memory'
| highlightgroups priority = high [ * | where Label = 'Out of Memory' ] as 'Server Out of Memory'
See map.
Create Sub-Groups Using the Createview Command
Use createview command to create sub-groups from the
existing linked groups. This can be used in conjunction with the map
command to join groups.
For example, you can group all the Out of Memory errors using the following command:
* | link Entity, Label
| createView [ * | where Label = 'Out of Memory' ] as 'Out of Memory Events'See createview.
Search and Highlight Link Groups
Use highlightgroups command to search one or more columns
in the Link results and highlight specific groups. You can optionally assign a priority to
the highlighted regions. The priority would be used to color the regions. You can also
explicitly specify a color.
For example:
*
| link Label
| highlightgroups priority = medium [ * | where Label in ('Log Writer Switch', 'Checkpoint Wait') ]
| highlightgroups priority = high [ * | where Label = 'Service Stopped' ] as Shutdown
| highlightgroups color = #68C182 [ * | where Label = 'Service Started' ] as Startup
See highlightgroups.
Optionally, you can merge the highlighted columns to create a single column:
