Let me see your logs

Written by: Daniel Pokusa. Original blog entry: click here

About three months ago I came across a tool (thanks to the Silesian JUG!) that promised to accelerate and facilitate searching and browsing over server logs. Sceptical as I was, I had a quick look at the short tutorial: Youtube Video - Retrospective Tutorial. I decided to have a closer look at the application.

Installation and first impression

I tested the application on my Linux Lubuntu x64, all went smoothly. When I opened the application I saw ... Eclipse RCP ;) That’s good, especially as I am a supporter of the solution. A nice introductory bar appeared on the left side, on the right side - the main interface (a very simple one, which I consider a plus).

Configuration

Let’s get down to the subject: let’s configure some server logs. In the File menu we select sources. We get a screen that allows us to manage all sources based on profiles. You can create multiple profiles and each can have any number of files (probably in the healthy range). This enables more efficient use of the tool. Then we can choose an option that only servers for application X or developer servers will be searched through etc. We create profiles ourselves so it all depends on us. The application allows you to connect to the servers via any port (SSH), you can also use an SSH key - a very nice addition, because sometimes we do not know the login / password and we only generate our key and send it to the administrator. Of course you can also choose the local host.

After having determined the connection with the nice wizards we can add both individual files and entire directories, which is cool since most servers create a separate file for each day. There is also the possibility to determine files based on simple filters (*. log * :)). After adding sources we receive a nice summary of the entries for specific profiles. What is most pleasing is the fact that the configuration takes no more than 5-10 minutes. Provided that we already know how to do this, adding a server and selecting the source directory takes no more than two minutes.

We are searching

We have two options for searching sources: Tail and Search. The first one, as the name suggests, allows you to continuously search over the latest entries in the searched sources and track what’s going on whereas the second one enables a single content filtering, for example when we are looking for a specific error. At first, we define a global filter for the selected profile, for example, to display only entries with [ERROR] in the body. After starting the search it is not possible to change the filter, but you still get a local filter that allows you to highlight and browse additional information in real-time. In addition, we can limit the results based on content and by specifying a range of time for the search mode, which is very useful: "Hey, at 10:40 yesterday something strange was happening with the application, can you find out what it was?". It is worth mentioning as well that a search screen is a tab and you can easily add additional ones and, what’s just been introduced, change their names. It is also possible to save the view (bookmarks, main filters) which will allow for the preparation of the "super-extra-console" with the logs. Then we only need to load the settings.

Viewing the results

By default there are 4 columns:

  • Date / Time - Shelled time and date of entry

  • Date - the content

  • Host - the server from which the entry originates

  • Path - the path to the file

For me personally, the most useful are the first two columns so I turned off the remaining ones, but it definitely depends on how you configure the profiles (I have one profile 1 <-> 1 server because I don’t work with cloud-based applications. If I did, I would probably apply a different approach :)). However, it is important that you can turn these columns off. If the standard column date is too lean for us, we can configure a profile using the so-called 'Column Split' and adjust the displayed information for our “evil purposes” (see info how to do that below).

Conclusion

In conclusion, I am positively surprised by the creativity of Retrospective’s authors (the tool is not extremely difficult, but to the best of my knowledge no one has yet come up with something like it), easy setup, ease of use as well as its focus on a specific goal. This application is designed to search over all kind of logs. It’s very good for many popular time formats; it allows you to quickly grasp more machines. I would definitely recommend it to server administrators and architects managing machines and applications. It is already useful for the standard configuration: a production machine, test machine, developer machine. The more servers we are running, the bigger the profit (especially when it comes to time saving).

The only thing I'm missing is a possibility to add a column to the log level. I am aware that some of the log files do not have anything like that but it would be a very nice option. Especially if it was combined with filtration. I noticed that I often type in a name of the log level in the high-speed browser.

Edit: Such a function exists! It is a bit hidden and it’s called 'Column Split'. After creating sources we can customize the date format, entry format, etc. by using the 'Configure sources' tab. In the last (third) step that I didn’t previously notice, you can create custom columns for each source. Here a 'no split' option is chosen by default, but you can change it into the character split (separation with a single character eg. semicolon) or even a conversion pattern where we define what the entry will look like. Additionally, the authors have provided a considerable amount of ready-made designs (as mentioned LEVEL, MESSAGE, CLASS). Well, knowing the tool also comes useful :) Here you can see my laziness, I did not expect such a feature in this place, I was just right-clicking the columns in the search results. Maybe there could be a shortcut there? :)

Shopping

A single license costs $ 92 (more here: Buy Retrospective), and I think this is money well invested for somebody who uses grep and tail every day. To sum up, it’s also worth mentioning that in the last three months two new versions have been released and the application is available on 3 platforms: Windows, Linux and Mac. If you are interested read more details here, and go directly to your boss for money :).

PS: For writing this post I have received no financial or other profits – I am merely expressing my personal opinion.