Notes on Using GCP Logging

Table of Contents

Use the SEARCH() function with care
#

In the GCP Log Explorer, if you type some thing in the search bar without quote, the SEARCH() method is used.

The SEARCH() function is case insensitive. Note also that SEARCH() function uses text analyzer to tokenize the string. The SEARCH() function performs exact matches, not partial matching. So SEARCH("world") will not be able to match worldwide. Another example, suppose in some of the log entries, you may have “today is 202408180429”, if you use SEARCH("20240818"), you will find nothing matching, which you may not expect.

contain, regex match, regex unmatch
#

The following operators are very useful when searching for patterns/strings

:: contains
~=: regex match
!~: regex unmatch

For example,

textPayload =~ '.*foo.*': check if textPayload contains foo somewhere
textPayload !~ '.*foo.*': check if textPayload does not contain foo somewhere
textPayload:'foo': check if textPayload contains foo somewhere

The syntax used for the regex is RE2 syntax.

ref:

The GCP logging query language: https://cloud.google.com/logging/docs/view/logging-query-language

log retention period
#

In GCP console, you can search for “log storage”, there are different log buckets. For each bucket, you can see their retention period, which may differ from bucket to bucket.

You can configure custom retention period if you want: https://cloud.google.com/logging/docs/buckets#custom-retention.

ref:

log retention period: https://cloud.google.com/logging/quotas#logs_retention_periods

how to see logs around a log entry
#

Sometimes we may be interested the context for a certain log entry, i.e., what happens before and after the logging entry. We can do this in two ways.

We can manually specify the time interval using the timestamp field. See official doc on how to do it. You can also do it in the query editing UI by selecting the time interval.
We can also pin the message we are interested first. This message will show in the timeline histogram. Then we refine the query filter and click the pin message. The context menu shows and choose Zoom to log entry. You can do this multiple times to make the time interval to be more precise.

ref: