Log Analysis Recipes
Error Count by Level
fetch logs
| summarize cnt=count(), by:{loglevel}
| sort cnt desc
Errors Over Time
fetch logs
| filter loglevel == "ERROR"
| makeTimeseries count=count()
Top Error Messages
fetch logs
| filter loglevel == "ERROR"
| summarize cnt=count(), by:{content}
| sort cnt desc
| limit 10
Errors by Source
fetch logs
| filter loglevel == "ERROR"
| summarize cnt=count(), by:{log.source}
| sort cnt desc
Log Volume by Host
fetch logs
| summarize cnt=count(), by:{dt.entity.host}
| sort cnt desc
Error Spike Detection
fetch logs
| filter loglevel == "ERROR"
| makeTimeseries errors=count(), by:{log.source}
Parse JSON Logs
fetch logs
| filter contains(content, "{")
| parse content, "JSON:log"
| fields timestamp, log[level], log[message], log[service]
| limit 10
Search for Specific Text
fetch logs
| filter contains(content, "connection refused")
| fields timestamp, content, loglevel, log.source
| sort timestamp desc
| limit 20
Exclude Noise
fetch logs
| filterOut loglevel == "NONE"
| filterOut loglevel == "INFO"
| summarize cnt=count(), by:{loglevel}
| sort cnt desc
⚠️ The field is loglevel (one word), NOT log.level.
🛠 Try it: Open Ctrl+K → "Logs" app → filter by loglevel == "ERROR" → click any log line to see its full context. Then open a Notebook and run the same query in DQL: fetch logs | filter loglevel == "ERROR" | sort timestamp desc | limit 20.