Log Analysis

Discover patterns, trends, and anomalies in your logs with Gonzo's advanced analytical capabilities. From automatic pattern detection to time-series analysis, these features reveal insights that would be impossible to find manually.

circle-info

Access Point: Most log analysis features are accessed through the Counts panel (bottom-right). Press Enter on the Counts panel to open the detailed analysis modal.

Analysis Overview

Gonzo's log analysis combines multiple sophisticated algorithms to provide comprehensive insights:

Feature
Algorithm
What It Reveals
Best For

Pattern Detection

Drain3 clustering

Recurring log templates

Finding common issues

Time-Series Analysis

60-minute rolling window

Trends over time

Understanding incident timing

Heatmap Visualization

ASCII intensity mapping

Activity patterns by severity

Visual pattern recognition

Service Distribution

Real-time aggregation

Which services log what

Multi-service debugging

Anomaly Detection

Statistical analysis

Unusual patterns

Proactive problem identification

The Analysis Dashboard

Counts Panel Overview

The Counts panel (bottom-right) provides your gateway to advanced analysis:

┌─ COUNTS ─────────────────────────────┐
│ Severity Distribution:               │
│ ERROR  █████████████████████   (45%) │
│ WARN   ██████████████          (30%) │
│ INFO   ███████                 (20%) │
│ DEBUG  ██                       (5%) │
│                                      │
│ Total Entries: 2,847                 │
│ Time Span: 2h 15m                    │
│ Entries/min: 21.2                    │
│ Pattern Count: 23                    │
│                                      │
│ Press Enter for detailed analysis... │
└─────────────────────────────────────┘

Key Metrics Explained:

  • Severity Distribution - Percentage breakdown by log level with visual bars

  • Total Entries - Count of all processed log entries in current session

  • Time Span - Duration from first to last log entry

  • Entries/min - Average logging frequency (useful for capacity planning)

  • Pattern Count - Number of unique patterns detected by drain3 algorithm

Detailed Analysis Modal

Press Enter on the Counts panel to access the comprehensive analysis modal:

Time-Series Heatmap Analysis

Understanding the Heatmap

The time-series heatmap is one of Gonzo's most powerful visual analysis tools:

Time Axis (Horizontal):

  • Shows last 60 minutes in 1-minute buckets

  • Reading: 60 = 60 minutes ago, 0 = current minute

  • Updates in real-time as new logs arrive

Severity Axis (Vertical):

  • Each row represents a different log severity level

  • Separate tracking for ERROR, WARN, INFO, DEBUG, etc.

  • Independent scaling per severity level

Intensity Indicators:

Reading Heatmap Patterns

Identifying When Problems Started:

Analysis:

  • Problem started around 40 minutes ago

  • Peak error activity 30-20 minutes ago

  • Warnings preceded errors (early warning signs)

  • System appears to be recovering now

Use Case: Incident timeline reconstruction

Heatmap Best Practices

🔍 Investigation Techniques:

  1. Start wide, zoom in - Look for obvious patterns first

  2. Compare severity levels - How do different levels correlate?

  3. Identify inflection points - When did patterns change?

  4. Look for cycles - Are there recurring patterns?

⚡ Quick Analysis:

Pattern Detection with Drain3

How Drain3 Works

Gonzo uses the Drain3 algorithm for automatic pattern detection:

What Drain3 Does:

  • Clusters similar log entries into pattern templates

  • Extracts variable parts (IDs, timestamps, values) from static text

  • Maintains pattern counts in real-time

  • Adapts to new patterns as they appear

Example Pattern Detection:

Pattern Analysis Features

Top Patterns by Severity:

In the analysis modal, patterns are grouped by severity level:

What This Tells You:

Focus on High-Count Patterns:

  • Database connection timeout (247) - Critical infrastructure issue

  • User authentication failed (156) - Security/user experience impact

  • Slow query detected (324) - Performance degradation

Analysis Priority:

  1. Address database connectivity first (highest error count)

  2. Investigate authentication system second

  3. Optimize slow queries for long-term performance

Working with Pattern Data

Pattern-Based Filtering:

Once you identify interesting patterns, use them for focused analysis:

Pattern Evolution Tracking:

Service Distribution Analysis

Understanding Service Metrics

The service distribution section shows which services are generating logs:

What This Reveals:

Metric
Meaning
Investigation Questions

High Percentage

Service is very active

Is this normal? Performance issue?

Low Percentage

Service is quiet

Is it supposed to be active? Down?

Sudden Changes

Activity shift

What caused the change?

Missing Services

Service not logging

Is it running? Configuration issue?

Service-Based Analysis

Normal Load Patterns:

Red Flags:

  • Database suddenly becomes 60%+ (performance issue)

  • Auth drops to 0% (service down)

  • New unknown service appears with high percentage

Advanced Analysis Techniques

Correlation Analysis

Cross-Reference Multiple Data Points:

Trend Identification

Long-Term Pattern Analysis:

Performance Baseline Establishment

Creating Performance Baselines:

Analysis Workflows

Incident Investigation Workflow

Performance Monitoring Workflow

Capacity Planning Workflow

Troubleshooting Analysis Issues

Performance Issues

Analysis Modal Loading Slowly:

Pattern Detection Not Working:

Interpretation Issues

Unclear Heatmap Patterns:

Misleading Service Distribution:

Best Practices

🎯 Effective Analysis Strategies

  1. Start with overview, drill down - Use heatmap for big picture, patterns for specifics

  2. Correlate multiple data sources - Combine timing, patterns, and services

  3. Track trends over time - Compare current state with historical baselines

  4. Focus on high-impact patterns - Prioritize by frequency and severity

📊 Data Quality Optimization

  1. Use structured logging - JSON and logfmt provide better analysis

  2. Consistent field naming - Helps with service distribution accuracy

  3. Meaningful log levels - Proper ERROR/WARN/INFO usage improves analysis

  4. Include context - Service names, trace IDs, and relevant metadata

Performance Optimization

  1. Right-size analysis windows - Balance detail with performance

  2. Reset data periodically - Prevent memory buildup in long sessions

  3. Filter appropriately - Reduce dataset size for complex analysis

  4. Monitor resource usage - Adjust settings based on system capacity

What's Next?

Now that you understand log analysis, explore these complementary features:

  • AI Integration - Combine algorithmic analysis with AI insights

  • Format Detection - Optimize data input for better analysis

  • Configuration - Tune analysis settings for your needs

  • Integration Examples - Apply analysis to real-world scenarios


You now have mastery over Gonzo's analytical capabilities! 🚀 The combination of time-series analysis, pattern detection, and service distribution gives you unprecedented insight into log behavior and system health.

Last updated