Managing Log Analytics Queries

The information that appears in the Oracle Communications Unified Assurance Logs UI is controlled by a saved query to the Historical database. Because any user with access to the Logs UI can use the saved default query, Oracle does not recommend editing it. Using the Save button and changing the query name does not save a new query; instead, it updates the name of the default query.

You can create new queries based on the default query, or restore the default query if you accidentally delete or edit it.

Creating a New Query

You can create new queries by importing them from files with the .ndjson extension. The easiest way to get the correct format is to export the default query and modify it. You can modify the NDJSON or you can use the UI to modify the query after importing it.

To export the default query and modify it:

1. From the main Unified Assurance navigation menu, select Analytics, then Events, then Administration, and then Management.

2. Click Dashboard Management.

3. Select Saved objects.

4. Locate the [Log] Analytics object and select its checkbox. You may have to go to a different page in the list. If you filter the list using the search bar, it only returns results from the current page.

5. From the Export menu, select Export.

6. Edit the exported .ndjson file to change the attributes.savedQuery.name property to a new name.

   The file name does not matter and will not be reflected anywhere in the UI. The name property controls the display name of the query.

7. Optionally, edit any other properties now. You can also use the UI to edit them after importing. Use the following guidelines:

   • To change the query itself, edit the value of the attributes.savedQuery.query property. Use PPL, and escape any double-quotes (") with a forward slash (/).

   • To change the date range, edit the values in the attributes.savedQuery.selected_date_range array.

   • If you change the fields that the query searches for, you should also change the attributes.savedQuery.selected_fields property to match, or set selected fields to an empty object.

   • Do not change the type to anything other than observability-search. The query will not appear in the list of logs queries if you do.

   • The following properties are optional. They will be overwritten when you import the object:

     • references

     • updated_at

     • version

   • The id property is required, but you can optionally automatically override its value with a unique ID when you import the file.

8. In the Saved objects UI, click Import.

9. Select the exported NDJSON file that you updated.

10. Select the Create new objects with unique IDs option.

11. Click Import.

The new query is available in the list of saved objects or by selecting Logs under Observability in the OpenSearch menu. You can edit it as needed.

For example, to create a query to show logs from the DeviceAutoDiscovery job for the past 15 days, you could:

• Import a file with the following content:

  {"attributes":{"savedQuery":{"data_sources":"[{\"name\":\"Default cluster\",\"type\":\"DEFAULT_INDEX_PATTERNS\",\"label\":\"Default cluster\",\"value\":\"Default cluster\"}]","description":"","name":"[Logs] DiscoveryQuery","query":"search source=logs-* | where app=\"DeviceAutoDiscovery\" |fields app,message;","query_lang":"PPL","selected_date_range":{"end":"now","start":"now-15d","text":""},"selected_fields":{"text":"","tokens":[]},"selected_timestamp":{"name":"@timestamp","type":"timestamp"}},"title":"[Logs] DiscoverQuery"},"id":"123456789","type":"observability-search"}
  

• Export the default query, modify the name property, import it, use the UI to adjust the PPL query and time range, and save the query.

Restoring the Default Query

To restore the default query:

1. On your local machine, create a JSON file with the .ndjson extension with the following content:

   {"attributes":{"savedQuery":{"data_sources":"[{\"name\":\"Default cluster\",\"type\":\"DEFAULT_INDEX_PATTERNS\",\"label\":\"Default cluster\",\"value\":\"Default cluster\"}]","description":"","name":"[Log] Analytics","query":"search source=logs-* | fields @timestamp,level,event.dataset,message","query_lang":"PPL","selected_date_range":{"end":"now","start":"now-24h","text":""},"selected_fields":{"text":"","tokens":[{"name":"@timestamp","type":"timestamp"},{"name":"event.dataset","type":"string"},{"name":"level","type":"string"},{"name":"message","type":"string"}]},"selected_timestamp":{"name":"@timestamp","type":"timestamp"}},"title":"[Log] Analytics","version":1},"id":"12345678-8888-4444-8888-123456789012","references":[],"type":"observability-search"}
   

2. From the main Unified Assurance navigation menu, select Analytics, then Events, then Administration, and then Management.

3. Under Dashboards Management, select Saved objects.

4. (Optional) If you edited the default query and wish to restore it but also save your edited query, export, edit, and import the edited query with a new name and ID as described in Creating a New Query.

5. Click Import.

6. Select the JSON file that you created containing the default query.

7. Select Check for existing objects and Automatically overwrite conflicts.

   Do not change the ID in the NDJSON file or use a new ID when importing. The same ID is required for the navigation link to the Logs UI to work.

8. Click Import

   If you deleted the default query, there will not be any conflicts. If you edited the default query, an object with the same ID will exist, but it is overwritten by the default query.

   The link to the Logs UI in the main navigation menu will now open the correct imported query.