Log

Log

By using ServiceWatch logs, you can monitor, store, and access log files collected from the resources of the service that provides the logs.

Log Group

Log groups are containers for log streams that share the same retention policy settings. Each log stream must belong to a single log group. For example, if there are separate log streams for the logs of each cluster in Kubernetes Engine, you can group the log streams into a single log group called /scp/ske/{cluster name}.

Log Retention Policy

The log retention policy allows you to set the period for retaining log events in ServiceWatch. Log events whose retention period has expired are automatically deleted. Log The retention period assigned to the group applies to the log streams and log events belonging to the log group.

The retention period can be selected from the following options and is set in days.

Log stream

A log stream is a collection of log events ordered by the sequence in which they occurred from the same source. For example, all log events generated by a particular Kubernetes Engine cluster can form a single log stream.

Log Event

Log events are individual records that capture logs generated by a resource. A log event record includes two attributes: a timestamp of when the event occurred and a log message. Each message must be encoded in UTF-8.

log pattern

You can create log patterns to filter log data that matches the pattern. Log patterns define the words or patterns to search for in the log data collected by ServiceWatch, allow you to view the status of log occurrences as graphs, and serve as metrics for creating alert policies.

Log patterns are not applied retroactively to data. They are applied to log events collected after the log pattern is created.

Log pattern namespace

A namespace is a logical separation used to distinguish and group metrics. In ServiceWatch, it is divided into namespaces associated with services, namespaces for custom metrics, and namespaces for log patterns.

• Namespace associated with services such as Virtual Server
• A namespace consisting of custom metrics, i.e., the namespace of metrics collected through the custom metrics API or ServiceWatch Agent.
• Namespace of the metric generated by the log pattern

When creating metrics for a log pattern, you can either create a new namespace for the log pattern or select from existing log pattern namespaces.

Metric name

The monitored log information is the name of the metric generated by ServiceWatch. You must configure it so that the metric name does not duplicate within the namespace where the metric will exist.

Metric Value

It is the numeric value posted to the metric each time a log matching the pattern is found. For example, when counting occurrences of a specific word (e.g., Error), this value becomes 1 for each occurrence. When calculating transmitted bytes, it can be incremented by the actual number of bytes found in the log event.

default value

This is the value recorded in the log pattern for periods during log collection when no matching logs can be found. Setting the default to 0 prevents the metric from becoming irregular due to periods with no matching data.

When setting a dimension on a metric created from a log pattern, you cannot set a default value for that metric.

dimension

Dimensions are key-value pairs that further define a metric. You can add dimensions to metrics generated from log patterns. Since dimensions are part of a metric’s unique identifier, each time a unique name/value pair is extracted from logs, a new variant of that metric is created.

When you choose the log pattern format as either a whitespace-delimited pattern or a JSON format pattern, you can set the dimension, and it can be configured using one of the parameters defined in the pattern. You can assign up to three dimensions to an indicator. If a default value is set, you cannot configure dimensions. To set dimensions, you must disable the use of the default value.

Pattern format

This explains how ServiceWatch interprets data from each log event. The pattern format can be selected from three options as shown below.

• String Pattern: log containing a specific string
• Space-separated pattern: timestamps, IP addresses, strings, and other logs separated by spaces
• JSON format pattern: log containing specific JSON fields

Available regular expression syntax

When using regular expressions to search and filter log data, you must enclose the expression with %.

Patterns that contain regular expressions can only include the following.

• Alphanumeric - An alphanumeric character is a character that corresponds to a letter (A~Z or a~z) or a digit (0~9).
  • It can be used with A-Z, a-z, 0-9.
• The supported symbol characters are as follows.
  • :, _, #, =, @, /, ;, ,, -
  • For example, %servicewatch!% cannot be used because ! is not supported.
• The supported operators are as follows.
  • It includes ^, $, ?, [, ], {, }, |, \, *, +, ..
  • (, ) The operator is not supported.

string pattern

String pattern using regular expressions

You can search for matching patterns in log events using a regex string pattern wrapped with %(percentage) at the beginning and end. Below is an example pattern that retrieves all log events containing the ERROR keyword. Please refer to Available regex syntax.

%ERROR%

The above pattern matches log event messages like the ones below.

• [2026-02-13 14:22:01] ERROR 500 POST /api/v1/checkout (192.168.1.10) - NullPointerException at com.app.controller.CheckoutController.java:55
• [ERROR] Configuration file not found: /etc/app/config.yaml

String pattern in unstructured log events

It is a string pattern for searching strings in log events that are not in formats such as JSON. Below is an example of a log event message, and you can view log events that match various string pattern classifications.

ERROR CODE 400 BAD REQUEST
ERROR CODE 401 UNAUTHORIZED REQUEST
ERROR CODE 419 MISSING ARGUMENTS
ERROR CODE 420 INVALID ARGUMENTS

Space-separated pattern

Generate a pattern to search for matching strings in space-separated log events.

Whitespace-separated pattern example (1)

The following is an example of log events separated by spaces.

2023-10-27T10:00:01Z [INFO] 1234 login success 192.168.1.1

The above log event is a space‑separated log event that includes timestamp, logLevel, user_id, action, status, ip. Characters between brackets ([]) and double quotes ("") are considered a single field.

To create a pattern that searches for matching strings in space-separated log events, enclose the pattern in brackets ([]) and specify name-separated fields with commas (,). The following pattern parses six fields.

A pattern like [timestamp, logLevel, user_id, action, status = success, ip] can be used to find log events where the fifth field, status, is success.

Whitespace-separated pattern example (2)

abc xxx.log james 2023-10-27T10:00:01Z POST 400 1024
abc xxx.log name 2023-10-27T10:00:02Z POST 410 512

The above log event is a space‑separated log event that includes host, logName, user, timestamp, request, statusCode, and size.

A pattern like [host, logName, user, timestamp, request, statusCode=4*, size] can find log events where the sixth field, statusCode, starts with 4.

If you do not know the exact number of fields in a space-separated log event, you can use an ellipsis (…). A pattern such as […, statusCode=4*, size] represents the first five fields using an ellipsis.

AND(&&) operator and OR(||) operator can be used to create composite expressions. […, statusCode=400 || statusCode=410, size] can find log events where the sixth field, statusCode, is 400 or 410.

You can use regular expressions to provide conditions in a pattern. [host, logName, user, timestamp, request, statusCode=%4[0-9]{2}%, size] can find log events where the sixth field, statusCode, is a number that starts with 4.

JSON format pattern

You can create a pattern to search for matching strings or numeric values in JSON log events. Patterns are enclosed in curly braces ({}).

String-based JSON format pattern

• Use $. to represent JSON fields.
• The operator can use = or !=.
• The string to compare with the field can be enclosed in double quotes (""). Strings containing characters other than alphanumerics and the underscore must be enclosed in double quotes. Use an asterisk (*) as a wildcard to match text.

{ $.resourceType = "trail" }
{ $.resourceType = "%trail%" }
{ $.arrayKey[0] = "value" }

JSON format pattern that searches for numeric values

• Use $. to represent JSON fields.
• You can use numeric operators.
  • greater than(>), less than(<), equal to(=), not equal to(!=), greater than or equal to(>=), less than or equal to(<=)
• You can include addition(+) or subtraction(-) symbols. An asterisk(*) can be used as a wildcard.

{ $.errorCode = 400} 
{ $.errorCode >= 400} 
{ $.errorCode != 500 }
{ $.sourceIPAddress != 123.123.* }

Export Log Group

You can export log data from a log group to Object Storage for log retention and analysis. You can also export log groups for log data that resides in the same account.

To start exporting a log group, you must create an Object Storage bucket to store the log data.

Exporting a log group can take a long time depending on the amount of logs. When exporting a log group, you can reduce the export duration by specifying particular streams within the log group or by defining a time range.

Log group export can only be executed one at a time per account. To start another log group export, the ongoing export task must be completed.

You can delete a log group’s export history after the export succeeds or after the export cancellation is completed. Canceling a log group export does not delete the saved file exported from the log group. To delete the saved file exported from the log group, delete the stored file directly in Object Storage.