# Log Patterns

## Overview

Log Patterns in groundcover help you make sense of massive log volumes by grouping logs with similar structure. Instead of showing every log line, the platform automatically extracts the static skeleton and replace dynamic values like timestamps, user IDs, or error codes with smart tokens.

This lets you:

* Cut through the noise
* Spot recurring behaviors
* Investigate anomalies faster

<figure><img src="/files/4tYJjUvvfzfcxeHHmE9S" alt=""><figcaption></figcaption></figure>

### How It Works

groundcover automatically detects variable parts of each log line and replace them with placeholders to surface the repeating structure.

| Placeholder | Description                 | Example                |
| ----------- | --------------------------- | ---------------------- |
| `<TS>`      | Timestamp                   | `2025-03-31T17:00:00Z` |
| `<N>`       | Number                      | `404`, `123`           |
| `<IP4>`     | IPv4 Address                | `192.168.0.1`          |
| `<*>`       | Wildcard (text, path, etc.) | `/api/v1/users/42`     |
| `<V>`       | Version                     | `v0.32.0`              |
| `<TM>`      | Time measure                | `5.5ms`                |

### Requirements

Log Patterns are collected directly on the sensor.

## Example

**Raw log:**

```
192.168.0.1 - - [30/Mar/2025:12:00:01 +0000] "GET /api/v1/users/123 HTTP/1.1" 200
```

**Patterned:**

```
<IP4> - - [<TS>] "<*> HTTP/<N>.<N>" <N>
```

## Viewing Patterns

1. Go to the **Logs** section.
2. Switch from **Records** to **Patterns** using the toggle at the top.
3. Patterns are grouped and sorted by frequency. You’ll see:
   * Log level (Error, Info, etc.)
   * Count and percentage of total logs
   * Pattern’s trend over time
   * Workload origin
   * The structured pattern itself

## Value Distribution

You can hover over any tag in a pattern to preview the **distribution of values** for that specific token. This feature provides a breakdown of sample values and their approximate frequency, based on sampled log data.

This is especially useful when investigating common IPs, error codes, user identifiers, or other dynamic fields, helping you understand which values dominate or stand out without drilling into individual logs.

> For example, hovering over an `<IP4>` token will show a tooltip listing the most common IP addresses and their respective counts and percentages.

## Investigating Patterns

* **Click a pattern**: Filters the Logs view to only show matching entries.
* **Use filters**: Narrow things down by workload, level, format, or custom fields.
* **Suppress patterns**: Hide noisy templates like health checks to stay focused on what matters.
* **Export patterns**: Use the three-dot menu to copy the pattern for further analysis or alert creation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.groundcover.com/use-groundcover/log-patterns.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.