While troubleshooting, you might have to analyze logs from multiple systems that interact with each other. For a specific time interval, you can run multiple queries with different query criteria to search for logs from various systems, and compare the logs. You can also compare logs that are based on the same query criteria but ingested at different times.

Procedure

  1. Expand the main menu and navigate to Analytics > Log Compare.
    Tip: You can also compare logs from the following pages:
    • Explore Logs: Do either of the following:
      • Enter a query and in the upper-right corner of the page, click the compare icon. Add more queries to compare logs.
      • Enter a query and in the upper-right corner of the page, click the pin icon. Pin multiple queries to the pinboard and then click Compare Logs.
    • Analytics > KB Insights: Select up to four queries and select Actions > Compare as Queries.
    • Log Management > Log Upload: Select two log bundles and click Compare Logs.
  2. In the Compare Logs page, enter details for the first query.
    • Enter a name for the query.
    • Select the indexed partition on which you want to run the query and click Apply. If you do not select an indexed partition, VMware Aria Operations for Logs (SaaS) searches for logs in all the indexed partitions.
    • Enter a start date and time for querying the logs. VMware Aria Operations for Logs (SaaS) uses the start date and time and the duration in the upper-right corner of the page to calculate the time range for the query. When the query runs, it searches for logs within the time range.
    • Add one or more filters for more specific query results. For more information, see Searching for Logs.
  3. Click Add Query to add another query and enter the details described in step 2. You can compare logs for up to four queries.
    Tip: You can copy an existing query by clicking the copy icon next to the query name.
  4. In the upper-right corner of the page, enter the common duration for the added queries. VMware Aria Operations for Logs (SaaS) uses the start date and time in a query and the common duration to calculate the time range for the query. When a query runs, it searches for logs within the time range.
    Note: You can enter a maximum duration of 29 days, 23 hours, and 59 minutes.
  5. Click Compare.

Results

The log comparison is displayed as a stacked line chart and the log results appear side by side in query tabs under the chart. You can select a query tab on the left side and a query tab on the right side to compare the log results.

By default, the chart is based on the logs corresponding to the selected query tabs. However, to view the chart for all the queries, in the upper-right corner of the chart, click Show All.

The chart is plotted based on the common time range for the queries. To view the specific time at which a log was ingested, you can hover over the data point in the chart.