The Oracle Cloud Infrastructure Logging service is a highly scalable and fully managed single pane of glass for all the logs in your tenancy. Logging provides access to logs from Oracle Cloud Infrastructureresources. These logs include critical diagnostic information that describes how resources are performing and being accessedThe Oracle Cloud Infrastructure Logging service is a highly scalable and fully managed single pane of glass for all the logs in your tenancy. Logging provides access to logs from Oracle Cloud Infrastructureresources. These logs include critical diagnostic information that describes how resources are performing and being accessed
PURPOSE AND HOW IT WORKS
The utility searches in the OCI logs, the query-string (case insensitive) provided, for the current hour or day, in one of the following scopes:
- An specific compartment provided, located by name (case sensitive), search is not cascaded to child compartments, this is something that can be improved in futures releases
- An specific Log-group in the compartment provided, located by name (case sensitive)
- An specific Log in the compartment/log-group provided, located by name (case sensitive)
The query-string provided is searched in the logContent special field, that represents the whole text indexed for each log record (see line 102 of the utility script [ fullquery=$subquery\”” | where logContent=’*$query*'” ]). See syntax query guide here. As you can see, the query-string is surrounded with * on its left and right sides in order to perform kindof “contains” search.
If query-string is @@@ then the full set of log records arre retrieved.
The search is performed in the records of the current day or hour.
Please note that the number of records retrieved can be limited by the service.
GET THE LATEST VERSION OF THE UTILITY
if [ -f log-query.sh ]; then rm log-query.sh; fi && wget https://raw.githubusercontent.com/javiermugueta/rawcontent/master/log-query.sh && chmod 700 log-query.sh
USAGE
Execute the tool with no arguments:
What happens if compartment, log-group or log-name is not located?
javiermugueta@mbpj ~ % ./log-query.sh t h core.error.internal xplrT xxx yyy Logs start time: 2022-10-11T04:00:00.000000Z Logs end time: 2022-10-11T04:59:59.999999Z Compartment ocid: ocid1.compartment.oc1..aaaaa...xuq Log group ocid: NOT FOUND !!!! Please note that compartments, log-groups and log-names are case sensitive!!!
What happens if log records retrieved doesn’t have message field?
Null messages are shown, use json format instead.
USAGE EXAMPLES
In this example we provide text format flag, hourly scope flag, search-string, compartment, log-group and log-name:
javiermugueta@mbpj % /log-query.sh t h core.error.internal xplrUT PSD fnc_g_pt_nt_nvk
Logs start time: 2022-10-11T04:00:00.000000Z
Logs end time: 2022-10-11T04:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaa...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.amaa...tq
Log name ocid: ocid1.log.oc1.eu-frankfurt-1.ama...cia
Search query: search "ocid1.compartment.oc1..aaaaa...exuq/ocid1.loggroup.oc1.eu-frankfurt-1.amaaa...tq/ocid1.log.oc1.eu-frankfurt-1.am...ia" | where logContent='*core.error.internal*'
Search results:
"2022/10/11 04:14:38 callBackEnd(https://p-g-pt-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"An internal error has occurred\",\"operationId\":\"2949ce07d51a052e\"} ) "
"2022/10/11 04:22:35 callBackEnd(https://p-g-pt-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"Ocorreu um erro interno.\",\"operationId\":\"4c5b1f034609e135\"} ) "
In this example we provide text format flag, hourly scope flag, search-string, compartment and log-group:
javiermugueta@mbpj% ./log-query.sh t h core.error.internal xplrUT PSD
Logs start time: 2022-10-11T04:00:00.000000Z
Logs end time: 2022-10-11T04:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaaaaaastirum...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.amaaa...6tq
Search query: search "ocid1.compartment.oc1..aa...xuq/ocid1.loggroup.oc1.eu-frankfurt-1.amaaaa...6tq" | where logContent='*core.error.internal*'
Search results:
"2022/10/11 04:12:10 callBackEnd(https://p-g-s-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"An internal error has occurred\",\"operationId\":\"691e25e63eea266a\"} ) "
"2022/10/11 04:12:42 callBackEnd(https://p-g-s-nt.c.wznk.nt/app/int/features) <-- ( 500 | {\"code\":\"core.error.internal\",\"description\":\"An internal error has occurred\",\"operationId\":\"029bb521edd88f4f\"} ) "
...
In this example we provide json format flag, hourly scope flag, all records flag @@@, compartment and log-group (please note that in this case, records retrieved belong to the flow-logs type, that is, network traffic log records):
javiermugueta@mbpj% ./log-query.sh j d @@@ xplrUT PSD
Logs start time: 2022-12-11T00:00:00.000000Z
Logs end time: 2022-12-11T23:59:59.999999Z
Compartment ocid: ocid1.compartment.oc1..aaaaaaaastirum...uq
Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.amaaa...6tq
Search query: search "ocid1.compartment.oc1..aa...xuq/ocid1.loggroup.oc1.eu-frankfurt-1.amaaaa...6tq"
Search results:
{
"action": "ACCEPT",
"bytesOut": 112,
"destinationAddress": "10.220.1.56",
"destinationPort": 32098,
"endTime": 1665532801,
"flowid": "9ef5d0f3",
"packets": 2,
"protocol": 6,
"protocolName": "TCP",
"sourceAddress": "10.220.1.50",
"sourcePort": 443,
"startTime": 1665532801,
"status": "OK",
"version": "2"
}
{
"action": "ACCEPT",
...
In this example we search a string-value in the past 14 days of records:
JMUGUETA@JMUGUETA-mac% ./log-query.sh t m 23f1313a3a584906 xplrT PSD Logs start time: 2022-10-05T12:47:43.000000Z Logs end time: 2022-10-19T12:47:43.000000Z Compartment ocid: ocid1.compartment.oc1..aaaaa...uq Log group ocid: ocid1.loggroup.oc1.eu-frankfurt-1.am...q Search query: search "ocid1.compartment.oc1..aaaa...xuq/ocid1.loggroup.oc1.eu-frankfurt-1.ama...q" | where logContent='*23f1313a3a584906*' Search results: "2022/10/19 07:32:14 map[Acce..]]" "2022/10/19 07:32:14 callBac...06\"} ) " End, bye!!
That’s all, hope this helps!!
approaching off the bow 