Log Patterns

Log Patterns help you cut through log noise by grouping similar logs based on structure. Instead of digging through thousands of raw lines, you get a clean, high-level view of what’s actually going on

Overview

Log Patterns in groundcover help you make sense of massive log volumes by grouping logs with similar structure. Instead of showing every log line, the platform automatically extracts the static skeleton and replace dynamic values like timestamps, user IDs, or error codes with smart tokens.

This lets you:

  • Cut through the noise

  • Spot recurring behaviors

  • Investigate anomalies faster

How It Works

groundcover automatically detects variable parts of each log line and replace them with placeholders to surface the repeating structure.

Placeholder
Description
Example

<TS>

Timestamp

2025-03-31T17:00:00Z

<N>

Number

404, 123

<IP4>

IPv4 Address

192.168.0.1

<*>

Wildcard (text, path, etc.)

/api/v1/users/42

<V>

Version

v0.32.0

<TM>

Time measure

5.5ms

Requirements

Log Patterns are collected directly on the sensor.

To see patterns in your environment, make sure your groundcover sensor is upgraded to version 1.9.251 or later.

Example

Raw log:

192.168.0.1 - - [30/Mar/2025:12:00:01 +0000] "GET /api/v1/users/123 HTTP/1.1" 200

Patterned:

<IP4> - - [<TS>] "<*> HTTP/<N>.<N>" <N>

Viewing Patterns

  1. Go to the Logs section.

  2. Switch from Records to Patterns using the toggle at the top.

  3. Patterns are grouped and sorted by frequency. You’ll see:

    • Log level (Error, Info, etc.)

    • Count and percentage of total logs

    • Pattern’s trend over time

    • Workload origin

    • The structured pattern itself

Value Distribution

You can hover over any tag in a pattern to preview the distribution of values for that specific token. This feature provides a breakdown of sample values and their approximate frequency, based on sampled log data.

This is especially useful when investigating common IPs, error codes, user identifiers, or other dynamic fields, helping you understand which values dominate or stand out without drilling into individual logs.

For example, hovering over an <IP4> token will show a tooltip listing the most common IP addresses and their respective counts and percentages.

Investigating Patterns

  • Click a pattern: Filters the Logs view to only show matching entries.

  • Use filters: Narrow things down by workload, level, format, or custom fields.

  • Suppress patterns: Hide noisy templates like health checks to stay focused on what matters.

  • Export patterns: Use the three-dot menu to copy the pattern for further analysis or alert creation.

Last updated