Googling OCI logs | Helper utility for fulltext search in the logs either from the terminal or cloud-shell


The Oracle Cloud Infrastructure Logging service is a highly scalable and fully managed single pane of glass for all the logs in your tenancy. Logging provides access to logs from Oracle Cloud Infrastructureresources. These logs include critical diagnostic information that describes how resources are performing and being accessedThe Oracle Cloud Infrastructure Logging service is a highly scalable and fully managed single pane of glass for all the logs in your tenancy. Logging provides access to logs from Oracle Cloud Infrastructureresources. These logs include critical diagnostic information that describes how resources are performing and being accessed

PURPOSE AND HOW IT WORKS

The utility searches in the OCI logs, the query-string (case insensitive) provided, for the current hour or day, in one of the following scopes:

  • An specific compartment provided, located by name (case sensitive), search is not cascaded to child compartments, this is something that can be improved in futures releases
  • An specific Log-group in the compartment provided, located by name (case sensitive)
  • An specific Log in the compartment/log-group provided, located by name (case sensitive)

The query-string provided is searched in the logContent special field, that represents the whole text indexed for each log record (see line 102 of the utility script [ fullquery=$subquery\”” | where logContent=’*$query*'” ]). See syntax query guide here. As you can see, the query-string is surrounded with * on its left and right sides in order to perform kindof “contains” search.

If query-string is @@@ then the full set of log records arre retrieved.

The search is performed in the records of the current day or hour.

Please note that the number of records retrieved can be limited by the service.

GET THE LATEST VERSION OF THE UTILITY

if [ -f log-query.sh ]; then rm log-query.sh; fi && wget https://raw.githubusercontent.com/javiermugueta/rawcontent/master/log-query.sh && chmod 700 log-query.sh

USAGE

Execute the tool with no arguments:

What happens if compartment, log-group or log-name is not located?

javiermugueta@mbpj ~ % ./log-query.sh t h core.error.internal xplrT xxx yyy                    
Logs start time: 2022-10-11T04:00:00.000000Z
Logs end time: 2022-10-11T04:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaaa...xuq
Log group ocid: NOT FOUND !!!!
Please note that compartments, log-groups and log-names are case sensitive!!! 

What happens if log records retrieved doesn’t have message field?

Null messages are shown, use json format instead.

USAGE EXAMPLES

In this example we provide text format flag, hourly scope flag, search-string, compartment, log-group and log-name:

javiermugueta@mbpj % /log-query.sh t h core.error.internal xplrUT PSD fnc_g_pt_nt_nvk       
Logs start time: 2022-10-11T04:00:00.000000Z
Logs end time: 2022-10-11T04:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaa...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.amaa...tq
Log name ocid: ocid1.log.oc1.eu-frankfurt-1.ama...cia
Search query: search "ocid1.compartment.oc1..aaaaa...exuq/ocid1.loggroup.oc1.eu-frankfurt-1.amaaa...tq/ocid1.log.oc1.eu-frankfurt-1.am...ia" | where logContent='*core.error.internal*'
Search results:
"2022/10/11 04:14:38 callBackEnd(https://p-g-pt-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"An internal error has occurred\",\"operationId\":\"2949ce07d51a052e\"} ) "
"2022/10/11 04:22:35 callBackEnd(https://p-g-pt-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"Ocorreu um erro interno.\",\"operationId\":\"4c5b1f034609e135\"} ) "

In this example we provide text format flag, hourly scope flag, search-string, compartment and log-group:

javiermugueta@mbpj% ./log-query.sh t h core.error.internal xplrUT PSD
Logs start time: 2022-10-11T04:00:00.000000Z
Logs end time: 2022-10-11T04:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaaaaaastirum...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.amaaa...6tq
Search query: search "ocid1.compartment.oc1..aa...xuq/ocid1.loggroup.oc1.eu-frankfurt-1.amaaaa...6tq" | where logContent='*core.error.internal*'
Search results:
"2022/10/11 04:12:10 callBackEnd(https://p-g-s-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"An internal error has occurred\",\"operationId\":\"691e25e63eea266a\"} ) "
"2022/10/11 04:12:42 callBackEnd(https://p-g-s-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"An internal error has occurred\",\"operationId\":\"029bb521edd88f4f\"} ) "
...

In this example we provide json format flag, hourly scope flag, all records flag @@@, compartment and log-group (please note that in this case, records retrieved belong to the flow-logs type, that is, network traffic log records):

javiermugueta@mbpj% ./log-query.sh j d @@@ xplrUT PSD
Logs start time: 2022-12-11T00:00:00.000000Z
Logs end time: 2022-12-11T23:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaaaaaastirum...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.amaaa...6tq
Search query: search "ocid1.compartment.oc1..aa...xuq/ocid1.loggroup.oc1.eu-frankfurt-1.amaaaa...6tq"
Search results:
{
  "action": "ACCEPT",
  "bytesOut": 112,
  "destinationAddress": "10.220.1.56",
  "destinationPort": 32098,
  "endTime": 1665532801,
  "flowid": "9ef5d0f3",
  "packets": 2,
  "protocol": 6,
  "protocolName": "TCP",
  "sourceAddress": "10.220.1.50",
  "sourcePort": 443,
  "startTime": 1665532801,
  "status": "OK",
  "version": "2"
}
{
  "action": "ACCEPT",
...

In this example we search a string-value in the past 14 days of records:

JMUGUETA@JMUGUETA-mac% ./log-query.sh t m 23f1313a3a584906  xplrT PSD
Logs start time: 2022-10-05T12:47:43.000000Z
Logs end time: 2022-10-19T12:47:43.000000Z
Compartment ocid: ocid1.compartment.oc1..aaaaa...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.am...q
Search query: search "ocid1.compartment.oc1..aaaa...xuq/ocid1.loggroup.oc1.eu-frankfurt-1.ama...q" | where logContent='*23f1313a3a584906*'
Search results:
"2022/10/19 07:32:14 map[Acce..]]"
"2022/10/19 07:32:14 callBac...06\"} ) "
End, bye!!

That’s all, hope this helps!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.