Skip to content

Search logs

Start with the smallest useful scope. Log search combines field tokens with remaining text, which is matched against log content.

Current Dataplicity Logging console with device and platform events from a commercial demo fleet
The Logging console keeps severity, source, labels, device, automation, and incident context visible.

Supported filters

TokenMeaningExample
device:Device hashdevice:abc123
class:Device-class hashclass:def456
app:Application labelapp:gateway
origin:Event originorigin:agent
type:Classified source typetype:generic_syslog
level:Log levellevel:ERROR
since:Start of time rangesince:"15 minutes ago"

Combine tokens with spaces:

text
device:abc123 app:gateway level:ERROR timeout

Tokens are combined as restrictions. Remaining words are text search. Quote relative time expressions that contain spaces.

Investigation workflow

  1. Open Logs from the alert, incident, or organisation navigation.
  2. Add device: or class: before searching generic words.
  3. Set since: to just before the first observed failure.
  4. Add type:, origin:, app:, or level: only when the field exists on representative rows.
  5. Open context around a matching row to inspect preceding and following activity.
  6. Save or share the query only after removing secrets or customer data.

Recent results can update live. Older windows use archive queries where archive data is available. Crossing between those data paths can change result latency and pagination. A gap does not prove that nothing happened.

Log alert rules

A log alert rule supports a narrower query subset than the interactive viewer. It can match level, application, origin, source type, and remaining text, then group by device, application, or origin and send a webhook subject to throttling.

Test the rule with representative records. Secure the webhook endpoint, handle duplicate delivery, and use grouping and throttle windows to control noise. Do not assume every viewer token is evaluated by a log alert rule.

Analytics and investigations

Where enabled, log analytics summarises trends, error rates, noisy devices, applications, origins, source types, event types, anomalies, and security events. Treat rollups as directional evidence. Confirm a finding against matching log records because classification, freshness, and selected time windows can differ.

Where enabled, Log investigations preserve a query, time window, detector threads, expanded evidence, notes, and pins as a repeatable evidence trail. Record acknowledgement and resolution in the incident timeline. You can also save a scoped query and add its findings to that timeline.

Troubleshooting

  • No results: remove filters one at a time and verify the time window is retained.
  • Wrong source type: inspect the raw origin, application, source, and event fields.
  • Too many results: add device or class scope before adding more text.
  • Earlier data outside the results: check the retention shown for the organisation and the archive boundary.
  • Live updates stopped: reload the window and confirm the organisation still has log access and ingest capacity.