Appearance
Logs
Logs are an organisation-level event stream. Records can carry device, class, application, origin, source type, event type, level, and time context. The Logs workspace combines recent live data with archive queries when archived data is available.
Configure log ingestion from the organisation Logs workspace. Follow its onboarding instructions and source controls instead of treating file paths, systemd units, or commands on an individual device page as managed log sources.
Use logs when
- an alert or incident needs evidence from the same time window
- a device disconnects intermittently
- a rollout changes error volume across a class
- support needs context before starting an interactive session
- security activity needs filtering by actor, device, action, or source
Source and retention boundaries
Source classification is based on fields received with a record and product event classification. A missing or surprising label does not prove that the event was lost.
Dataplicity shows your organisation's retention period in the product. Queries outside that window return no records. Recent live data and archived data can have different delivery delays.
Log ingestion is usage-metered. Check Usage and service limits for your organisation's included units, current usage, and any cap. Avoid publishing secrets or unnecessary personal data in logs.
Operational sequence
- Start from the device, alert, incident, or known time.
- Open Logs and add the narrowest device or class filter first.
- Add source, application, level, or text filters.
- Expand the time range only after validating the query.
- Use context around a matching line to avoid treating one error as the whole cause.
- Open remote shell or Wormhole only when evidence shows an interactive action is needed.
- Verify recovery in the monitor and preserve the incident or audit timeline.