# Events and Logs (Raw data)
Use the Logs and Events screen to view raw data, logs, and messages coming into Acure from various data streams.
Go to the system section Data collection→Events & Logs through the main menu.
# Selecting streams
By default, when you open the Events & Logs screen, all available streams in the system are displayed.
To filter data by streams:
- Switch the slider "Fields"/"Streams" into the mode "Streams".
- Click Deselect all.
- Select the required streams by pressing the "+" icon opposite the stream name.
To select all streams press Select All
# Viewing data
Click on the arrow to the left of the message (event) to view its detailed information.
Switch between the JSON and Tabular View tabs to change the appearance of the data.
In the JSON tab to the right of the file, click "Copy" to place the .json object on the clipboard.
In the "Fields" tab in the columns Available/Selected fields you can view statistics for each field.
To display statistics, click the histogram icon next to the field name in the column, and a pop-up window will open listing the most popular field values, as well as the minimum, maximum, and average values for numeric fields.
💡 When you click on a value in the window, it also becomes possible to add a condition to the filter using this value.
You can export the entire list of filtered events in the .xlsx or.csv format by clicking the "Export" button in the upper right corner and select the file format.
# Searching and filtering data
To search and filter data, you can use the string to form a search query or a custom filter below it.
- To form a custom filter, click «+ Filter», and a new condition will be added to the common filter.
In the drop-down menu select Field from the available among all displayed events, Operator (is, is not, contains, does not contain), enter Value and click Apply to filter data on the defined condition.
In addition, you can add conditions to the filter directly from the table, by clicking on the field in the event and clicking the pop-up button "Add this value to the filter".
To filter data by date and time use the datetime picker to the right of the search bar.
To form your own request, use the search bar and enter a query in MQL, based on Lucene (opens new window) (quick reference below).
| Request type | Example | Note |
|---|---|---|
| Search by term (exact match, no special symbols) | _stream.name:Messages | The request is case insensitive. |
| Search by phrase with spaces, numeric, negative values, dates (exact match) | _stream.name:"CIT Messages"source.text:"what is going on\?"source.text:what is going on\? | Escaping is done using quotes. Double quotes require escaping ? * \ " inside if you want to find an exact match. Internal escaping is done through \.Also if there are no escape quotes, but there are characters ? * \ ", then they also need to be escaped through \. |
| Value is not equal | !_stream.name:"CIT Messages"-_stream.name:"CIT Messages" | |
| Prefix search | _stream.name:Pr* | Request will return all events, where the value of the stream.name field begins with "Pr". For example, Prometheus. Query !stream.name:*Pr - will return events if the value of the stream.name field does not start with "Pr". |
| Full-text search | _stream.name:*bb* | Request will return all events, the values of the stream.name field contain 2 consecutive characters "bb".For example, Zabbix. Symbols can be anywhere in the value.. !stream.name:*bb* - not contains "bb". If you are searching using a phrase with spaces, you must enclose it in quotation marks. For example: _stream.name:"*IT Messag*". The request will return events where the field _stream.name contains "IT Messag", for example "CIT Messages" |
| Postfix search | _stream.name:*ges | Request will return all events, the values of the stream.name ending in "ges". For example, messages. !stream.name:*ges - not ending in "ges" |
| BooleanQuery (logical conditions) | _stream.name:Messages AND (source.Type:UserLeft OR source.Type:UserJoin) | Expressions are combined through operators OR or AND, which are separated by one space on the right and left.Query (also in-brace expression) cannot start with operator. The number of operators must be 1 less than the number of expressions. Expressions and operators must be interleaved. Also, expressions can be combined through parentheses, the number of opening and closing parentheses must be the same. |
| Escaping characters | source.text:"what is going\?"source.text:what is going on\?source.password:"asd(\\\?) sd"will search for an exact match with asd(\?) sd | Parentheses, colons, and spaces must be escaped, and can be escaped with quotes. You also need to escape ? * \ " with \ |
| Finding fields with a non-empty value | source.text:exists() | Works with any field type |
| Exclude events that contain this field | !source.text:exists()-source.text:exists() | Works with any field type |
Any query you make can be saved for quick reference. To save the query, configure the filters in the way you need, click "Save as" at the top of the page and enter the name of the query. Immediately upon adding, check the item "Add to Favorites" and the query will appear in the quick access panel after adding.
You can select another request from those already saved in the selector to the left of the "Save as" button and rename, delete and reset settings via the drop-down menu to the right of the "Save as" button.
# Configuring View
You can customize the presentation of the data on the Events & Logs screen using the composition of the displayed message fields and the detalization level of the histogram.
The detail level of the histogram (interval) is set in the upper right corner of the graph. If you select a too small or too large interval, the histogram will automatically select the optimal interval.
Use the switch to the left of the histogram to switch between row and table views.
To configure the composition of fields for displayed events, switch the slider "Fields"/"Streams" into the "Fields" position and add and remove fields using the ** "➕" ** and ** "✖️" ** buttons to the right of the name in the column «Available fields»/«Selected fields» in the left area of the screen.
Use the toggle switch in the upper right corner of the screen to enable/disable the live display of events being received by the Acure system.
# Personal screen settings
# Rendering Markdown
Click on the "gear" icon in the upper right corner. In the dialog box that opens activate Render Markdown in order to display Markdown markup in the events.
In the line below, enter the fields to be rendered.