Using Log Correlation

Observe offers the powerful ability to query across multiple log sources that shared common attributes, such as IDs. In other observability systems, this capability is known as log subqueries.

Whenever two or more datasets share a link to a resource or interval dataset, you will be able to use the new Add Correlation button in Log Explorer to run queries across these datasets.

Creating a correlation involves three steps:

  1. Select Add Correlation from within the Expression Builder.

  2. Choosing the destination destination. Observe will already filter down the destinations to those log datasets which share at least one link as the current dataset.

  3. Choose a join method for joining the data. The join method is a shared link between the origin and destination datasets. It will determine how the query output from the original expression are joined with the destination dataset to filter down the results.

Additionally, you can chain as many correlations as you’d like. Each new correlation you add will be built off of the output of the preceding query, forming a “correlation chain.”

Demo

In the video below, we will look at an example of how to use Log Correlation to troubleshoot an issue for a fictitious ecommerce company that is experiencing a spike in checkout failures.

How this works

Under the hood, this feature works by using the exists verb. You can always toggle over to the OPAL tab to inspect the OPAL which is generated by the correlation feature.