Group logs by fields using log aggregation — Splunk Observability Cloud documentation (2024)

Aggregate log records 🔗

To perform an aggregation, follow these steps:

1. Find the aggregations control bar. Log Observer Connect has no default aggregation. Log Observer defaults to Group by: severity. This default corresponds to the following aggregation controls settings:

   • COUNT

   • All(*)

     See Also

     Using 'group by' For Multiple Fields in Splunk | Open Source Observability Platform for Logs, Metrics, Traces, and More – Your Ultimate Dashboard for Alerts and Insightstable - Splunk DocumentationHow to group by in Splunk? - Hello CodeWhat is a DBMS (Database Management System)? | Splunk

   • Group by: severity

2. To change the field to group by, type the field name in the Group by text box and press Enter. The aggregations control bar also has these features:

   • When you click in the text box, Log Observer displays a drop-down list containing all the fields available in the log records.

   • The text box does auto-search. To find a field, start typing its name.

   • To select a field in the list, click its name.

   • When searching for a field to group by, you can only view 50 fields at a time. Continue typing to see a more and more specific list of fields to choose from.

3. To change the calculation you want to apply to each group, follow these steps:

   1. Select the type of statistic from the calculation control. For example, to calculate a mean value, selectAVG.

   2. Choose the field for the statistic by typing its name in the calculation field control text box. Thetext box does auto-search, so start typing to find matching field names.

4. To perform the aggregation, click Apply.

Whenever you use a field for grouping or calculation, the results shown in the Timeline histogram and Logs table include only logs containing that field. Logs are implicitly filtered by the field you group by, ensuring that calculations are not impacted by logs that do not contain the field you used.

Example 1: Identify problems by aggregating severity by service name 🔗

One way you can discover potential problems is to find services that are generatinga high number of severe errors. To find these services, group log records byservice name and count all the records. Services with problems appear as groupswith many records that have a severity value of ERROR.

To apply this aggregation, follow these steps:

1. Using the calculation control, set the calculation type by selecting COUNT.

2. Using the calculation field control, set the calculation field to All(*).

3. Using the Group by text box, set the field to group by to service.name.

4. Click Apply. The Timeline histogram displays a count of logs by all your services asstacked columns, in which each severity value has a different color. The histogram legendidentifies the color of each severity.

Example 2: Identify problems by aggregating response time by request path 🔗

Longer than expected service response might indicate a problem with the serviceor other part of the host on which it runs. To identify services thatare responding more slowly than expected, group log events by http.req.path,a field that uniquely identifies each service. For each group, calculate the meanof the response time field http.resp.took_ms.

To apply this aggregation, follow these steps:

1. Using the calculation control, set calculation type to AVG.

2. Using the calculation field control, set the field to http.resp.took_ms

3. Using the Group by text box, set the field to group by to http.req.path.

4. Click Apply. The Timeline histogram displays the average response time foreach service.