# Log Patterns

## Overview

Log Patterns in groundcover help you make sense of massive log volumes by grouping logs with similar structure. Instead of showing every log line, the platform automatically extracts the static skeleton and replace dynamic values like timestamps, user IDs, or error codes with smart tokens.

This lets you:

* Cut through the noise
* Spot recurring behaviors
* Investigate anomalies faster

<figure><img src="https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-ea022384487f558801bb2bdb8a61ccb8e679f6d8%2FPatterns%20hover.png?alt=media" alt=""><figcaption></figcaption></figure>

### How It Works

groundcover automatically detects variable parts of each log line and replace them with placeholders to surface the repeating structure.

| Placeholder | Description                 | Example                |
| ----------- | --------------------------- | ---------------------- |
| `<TS>`      | Timestamp                   | `2025-03-31T17:00:00Z` |
| `<N>`       | Number                      | `404`, `123`           |
| `<IP4>`     | IPv4 Address                | `192.168.0.1`          |
| `<*>`       | Wildcard (text, path, etc.) | `/api/v1/users/42`     |
| `<V>`       | Version                     | `v0.32.0`              |
| `<TM>`      | Time measure                | `5.5ms`                |

### Requirements

Log Patterns are collected directly on the sensor.

## Example

**Raw log:**

```
192.168.0.1 - - [30/Mar/2025:12:00:01 +0000] "GET /api/v1/users/123 HTTP/1.1" 200
```

**Patterned:**

```
<IP4> - - [<TS>] "<*> HTTP/<N>.<N>" <N>
```

## Viewing Patterns

1. Go to the **Logs** section.
2. Switch from **Records** to **Patterns** using the toggle at the top.
3. Patterns are grouped and sorted by frequency. You’ll see:
   * Log level (Error, Info, etc.)
   * Count and percentage of total logs
   * Pattern’s trend over time
   * Workload origin
   * The structured pattern itself

## Value Distribution

You can hover over any tag in a pattern to preview the **distribution of values** for that specific token. This feature provides a breakdown of sample values and their approximate frequency, based on sampled log data.

This is especially useful when investigating common IPs, error codes, user identifiers, or other dynamic fields, helping you understand which values dominate or stand out without drilling into individual logs.

> For example, hovering over an `<IP4>` token will show a tooltip listing the most common IP addresses and their respective counts and percentages.

## Investigating Patterns

* **Click a pattern**: Filters the Logs view to only show matching entries.
* **Use filters**: Narrow things down by workload, level, format, or custom fields.
* **Suppress patterns**: Hide noisy templates like health checks to stay focused on what matters.
* **Export patterns**: Use the three-dot menu to copy the pattern for further analysis or alert creation.