Oracle Logging Analytics lets you select and run a recently used search. When you click the Search field or enter text in the Search field, Oracle Logging Analytics displays a list of recently used searches. This lets you quickly access recently used search commands. You can select any of the listed commands and click Run to execute the selected search command.

The Oracle Logging Analytics user interface enables you to formulate your Search query.

You can use the following elements of the UI to formulate your Search query:

• Search bar: Your search query is displayed here. You can directly edit the text in this field to further refine your search results.

  The search bar grows or shrinks based on the number of lines added to the query. It can have a maximum of 21 lines and a minimum of 1 line. Some of the custom shortcuts available are:

  • Ctrl + i: Indent every line of text present in the editor. Note that the uppercase I opens the debugger.
  • Ctrl + Enter: Execute the query displayed in the editor
  • Ctrl + Space: Display the auto-complete list of options based on the cursor position
  • Ctrl + Z: Undo the last edit
  • Ctrl + Y: Redo the last edit
  • Ctrl + D: Delete current line

  Note: Do not use the SHIFT key unless specified.

  Position the cursor in the open or closing brackets to view the matching element highlighted. The elements that can be highlighted are ( ) and [ ].

  The search bar supports two different themes, color and gray-scale. You can change the themes dynamically by changing the option in the help pop-up.

• Field: The Field panel is divided into the following sections:

  • The Pinned attributes let you filter log data based on:

    • Log sources, such as database logs, Oracle WebLogic Server logs, and so on.

    • Log entities, which are the actual log file names.

    • Labels, which are tags added to log entries when log entries match specific defined conditions.

    • Upload names of log data uploaded on demand.

    By default, the entities and collection details are available in the Pinned bucket of the Fields panel for filtering. You can pin additional fields to the Pinned bucket depending on your usage. Once pinned, the fields are moved to the Pinned bucket. You can unpin any field and remove it from the Pinned bucket and move it back to the Interesting or Other bucket.

  • Based on your search and queries, Oracle Log Analytics automatically adds fields to the Interesting bucket for your quick reference. You can pin a field that’s available under Interesting bucket. The pinned field then gets moved to the Pinned bucket.

  • You can pin any field in the Other bucket and move it to the Pinned bucket. If you use a field from the Other bucket in your search or query, then it’s moved to the Interesting bucket.

    The selected options are automatically added to the query in the Search bar.

• Visualize: In this pane, you can select how you would prefer to view the search results. In the Group by field, you can decide what metrics to group the results by.

• Save: Use this button to save the search query that is currently in the Search field, to be run at a later time.

• Open: Use this button to view previously saved search queries. You can run these queries and get current results, or you can use these queries to create dashboards.

• New: Use this button to start a new search query.

• Export: Use this button to export the result of the current search query in a file of the Comma-seperated Values(CSV) or JavaScript Object Notation(JSON) format.

• Run: Use this button to run the query which is currently in the Search field.

• Time Selector: Use the Time Selector to specify the time period.

• Visualization Pane: The results of the search query are displayed in this pane. The filtered information in this pane loads when the query in the Search field is run. By clicking on any area in the chart in the visualization pane, you can drill down into the search query and update it.

String queries can include keywords and phrases. A keyword is a single word (for example, database), while a phrase refers to multiple words, enclosed in single (‘ ‘) or double (“ “) quotes (for example, ‘database connection’). If you specify a keyword or a phrase in your query, then all log entries containing the specified keyword or phrase are returned after the query is run.

The Oracle Logging Analytics search language also supports special pattern mapping. In other words, you can use wildcard characters, such as asterisk (*), question mark (?), and percentage (%), to complete keywords.

The following table lists the supported wildcard characters and provides a brief description of each.

You can specify multiple keywords. For example, database and connection. Logs containing the words database and connection (but not necessarily together) are returned. However, these words need not necessarily occur consecutively. However, by enclosing the words in quotes and including them in the query string as a phrase (‘database connection’, for example), then only those logs containing the phrase ‘database connection’ are returned. To see how to use multiple keywords, see Use Boolean Expressions.

When specifying a keyword or phrase, remember the following:

• Keywords and phrase strings are not case-sensitive.

• Keywords which are not enclosed within quotes must contain only alphanumeric characters, underscore (_), and wildcard characters (*, %, and ?).

• Keyword searches where the substring could be interpreted as a separate directive should be specific within quotes. For example, to search for the string and, you will have to enter it within single quotes (‘and’) to prevent the system from picking up its Boolean meaning.

ORA-* AND message LIKE 'connection* error*'

ORA-* AND message LIKE IN ('tablesp*','connection* error*')

Comparison operators are conditions you specify to establish a relationship between a field and its value. Fields without values are considered to be null.

The following table lists the supported comparison operators and provides a brief description of each.

Use these operators to find logs with fields having specific values. For example, specify Severity=’ERROR’ to search through the available logs where the value of the field Severity is ERROR. Similarly, Severity!=NULL returns all logs where the value of the Severity field is not null (in other words, where severity has been specified).

The Oracle Logging Analytics Search feature has the capabilities of LIKE and REGEX, as per standard conventions. Boolean Expressions can have a value of either true or false.

The following table lists the supported Boolean Expressions, along with a brief description of each.

The Oracle Logging Analytics Search language supports nesting Boolean expressions within other Boolean expressions. For example, consider the following query:

fatal ('order' OR host LIKE '*.oracle.com')

Running this query returns all logs which contain fatal and either contain the keyword order or originated from a host whose name ends with .oracle.com.

You can use the Oracle Logging Analytics user interface to formulate your Search query.

By default, the query * | stats count by ‘log source’ is specified in the Search field.

Typically, the time range that you select in the Log Explorer is not included in the query string. You can specify the time range in your query by using the absolute time or relative time modifier in the search command.

Some examples where a time range can be specified in the query:

• Return all ORA-600 error logs discovered in the last 24 hours:

  Message like 'ORA-600%' and time > dateRelative(24h)

• Return the count of logs for host target myHost over the past 90 days:

  'Host Name (Server)' = myHost and Time > dateRelative(90day) | stats count as 'Num Host Logs'

time between '2014-07-15T16:24:51.000Z' and '2014-07-17T18:14:16.000Z'

time between toDate('2014-07-12', 'yyyy-MM-dd') and toDate('2014-07-15', 'yyyy-MM-dd')

time between * AND dateRelative(12h)

time > dateRelative(12h)

time > dateRelative(30min, hour)

time < dateAdd(toDate('2014-07-22', 'yyyy-MM-dd'), day, -10)

time > dateSet(toDate('2015-08-10', 'yyyy-MM-dd'), year, 2010, month, 6)

Sub-queries allow the child query to provide a dynamic filter to its parent queries. Sub-queries are evaluated first, and the result is then used in the parent query.

• You can nest sub-queries inside one another as well as a particular query having multiple sub-queries at the same level.
• Sub-queries by default inherit the global time range, but you can override it using the time between T1 and T2 syntax, if required.
• Sub-queries are restricted to return only the first 2000 matches as input to its parent. Other results are truncated.
• They have a maximum timeout of 30 seconds to complete.
• All of the fields returned by a sub-query must match the fields in the parent query by name. Otherwise, it will result in an error.
• You can use sub-queries only inside a search command.
• You can use all the commands inside a sub-query except cluster, clustersplit, clustercompare, fieldsummary, delete, classify, highlight, and highlightrows.

Examples:

• Chart the traffic from the IP blacklist over time:

  [searchlookup table=ip_blacklist | distinct ip | rename ip as 'host address'] | timestats count

• List the most purchased products for the top users of an e-commerce site:

  'Log Source'='WLS Access Logs' status=200 action=purchase ['Log Source'='WLS Access Logs' status=200 action=purchase | stats count by 'Host (Client Address)' | top limit=1 'Host(Client Address)' | fields -*, 'Host (Client Address)'] | lookup table=products select 'product name' using productid | stats count, distinctcount(productId), unique('product name') by 'Host (Client Address)'

• Find Top 4 OS Process IDs with highest sum:

  [ *|stats sum('OS Process ID') as OSprocessidSum by 'OS Process ID' | top 4 OSprocessidSum | fields -OSprocessidSum ] | stats count by 'OS Process ID', 'Log Source', 'Host Name(Server)'

• Show all the logs from the target with the most fatal severity logs:

  * and [ Severity = fatal | stats count by Target | top limit = 1 Count | fields -Count]