After a bit since last post here's the new article in which we will create some basic analytics from our previously gathered logs.
Interactive Analytics tab in Log Insight is the place you want to go in order to retrieve event information, aggregate logs and present them in a fancy dashboard.
By default Log Insight displays latest logs collected from any connected source ordered in order of occurrence.
In the search box you can insert any string you want in order to search for matches across all logs while in the drop down box near the search button you can also choose the time frame in which to retrieve results, such as latest 5 minutes of data, latest hour, latest 6 hours, etc. The cool aspect of searches is that autocomplete will give you word suggestion and matched words in log entries will be highlighted in order to allow you to fast browse across results.
Filters are probably the most effective way to provide a satisfying search among the (probably) huge amount of collected logs. Filters can enourmously help you in finding the log entry you are searching for. Filters can be added by clicking the green plus icon Add Filter and they can match any generic text inside the log entry or some pre-determined field. The classical logical operators: contains, does not contain, starts with, match regex, etc. can also be used.
Fields used in filters can be easily created, and saved for later uses, by selecting a specific detail presented in a log entry. Select Extract field in order to extract that particular information from the log.
Matched results will be highlighted in green. In the right menu you can also modify the regular expression if needed and choose a proper name to save your extracted field. In this example I used device name as field name.
Extracted fields can now be used in queries.
Let's now produce some dashboard with our retrieved logs. Every log search will automatically produce a bar chart in the upper part of the page. By default Log Insight displays the count of events over time so the displayed bar indicates in a certain time like day, hour, or minute, the number of occurrences of that particular event.
Charts can also be customized, you can retrieve a certain metric grouped by a particular entity. In this example I asked for the average number of scsi latency events grouped by the filter I previously created (device name). With this chart I have a graphical view on the average count of scsi device related events and these are displayed grouped by the disk device name.
Charts aspect can also be modified to fit your style. Depending on the data you are extracting you can choose to represent data as a column like chart, a line chart, area, bar, pie or bubble based.
Once you are satisfied with the obtained result you can save your chart in a dashboard, which basically is a page on which you can have multiple charts grouped together. Before adding a chart to a dashboard you can choose chart title and optionally insert a brief description of what the cart represents.
Your dashboards are accessible by clicking Dashboards button on the top of the pages and by navigating in the left-sided menu.
This could be an example of a populated dashboard, a single pane of glass on which sysadmins can have informations at a rapid glance about how well things are going.
Other articles in this series:
VMware vCenter Log Insight Series Part1 - Introduction
VMware vCenter Log Insight Series Part2 - Installation and Configuration
VMware vCenter Log Insight Series Part3 - Collecting Logs
VMware vCenter Log Insight Series Part4 - Creating Analytics