Analyzing log lines to identify the root cause of an alert

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • When Health Log Analytics identifies an anomaly, viewing the logs that surround the anomaly provides clues about the state of faulting systems. This information can help you to identify the root cause of an alert.

    While viewing a Log Analytics alert in the Operator Workspace, the Surrounding logs tab lists the log lines that were generated one minute before and one second after the anomaly occurred. The log lines are related to the metric or pattern that created the alert. The list is filtered to the relevant component.

    Table 1. Information on the Surrounding logs tab
    Column Description
    Time Timestamp of the log line in the format that the source uses. If no value appears, then check the source type structure of the raw data.
    Service instance Service instance in which the metric was found.
    Component Logical component of the service instance that generated the event. Multiple CIs can sometimes perform the same function.
    Message Inner message of the raw log line that contains the text of the system-generated log message regarding the nature of the occurrence.
    Level Type of event. The available values, in order of importance, are:
    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Informational
    • Debug
    Host Host identifier from the log line that consists of the hostname or IP address of the endpoint.
    Log message The raw log message without the header.

    You can modify the time range of the displayed log lines, for example to investigate logs from more than one minute before the anomaly, or more than a second afterwards.

    Health Log Analytics enables you to view the anomalous log data graphically on the Log viewer, accessed from the Service Operations Workspace.

    The Log viewer presents all data connected with the Log Analytics alert. It automatically shows the query that relates to the anomaly, the selected component, and the appropriate time filter. Manually adjusting the time range does not affect any of the other settings. The applied filters appear in the Filters pane, where you can add or remove filters as needed. This feature is supported in the Health Log Analytics application, Version 20.0.11 - July 2021, and the Health Log Analytics Viewer application, Version 20.0.4 - July 2021, available from the ServiceNow Store.