If you're collecting JSON logs, you can use the logreduce operator to analyze a single field instead of full raw messages. This avoids having LogReduce consider the repetitive headers and metadata in JSON logs. Make sure to choose a field that contains enough data for LogReduce to detect patterns; fields that output short value strings may not produce meaningful results.
All other LogReduce features can be used with the results of a LogReduce query run against a field.
Run LogReduce on JSON logs
- Choose the field you'll use to run logreduce.
- In the Search tab, run a search using the following syntax.
* | parse "[pattern]" as [fieldname] | logreduce field=[fieldname]
- Hit enter or click Start. Results appear in the Signatures tab. Do any of the following:
- Click the Messages tab to see the individual messages for all signatures combined.
- To see the messages grouped in a signature, select the check box for the signature, and then click View Details. A new Search tab opens with the messages displayed. You can check more than one box to see the results in time order in the new Search tab.
- To export the results, click the Export icon. Then click Download to save the file to your computer.
- To save the query as a LogCompare Saved Baseline, click the Save Baseline icon. Enter a Name for the baseline and then click Save.