Cognna Logo white.png
←Back to COGNNA
Find the insights and best practices about our product.
Getting Started
COGNNA Detect and Response Installation Guide
Getting Started with Asset Management
Getting Started with the Case Management
Getting Started with Log Discovery
Getting Started with Manage Sensors
Troubleshooting
Troubleshoot COGNNA Sensors Installation Errors
Home
Getting Started
Getting Started with...
Getting Started with Log Discovery

What is “Log Discovery”? Overview


This interface is designed for real-time interaction with extensive log data. It serves as a powerful tool for monitoring infrastructure health, identifying key patterns, and efficiently troubleshooting errors. You can look back up to two weeks from the current date using the integrated time picker.

Navigation

  1. On the top bar, open “Investigate”.
  2. Click "Log Discovery”.


  1. Search Query Bar (KQL): The large center box labeled "Filter your data using KQL syntax" is the heart of the discovery process.
  2. Time Picker: Click the top-right calendar icon to set the time range (e.g., "Last 15 minutes"). It is one of the most critical tools for log analysis. It ensures you are looking at the exact window of time when an incident occurred.



  • The Quick select allows you to instantly filter data using preset windows like "Last 15 minutes" or "Today," and includes an "Auto-refresh" feature to keep your log view updated in real-time.

  • Absolute Time Ranges: You pick a specific "start" and "stop" date and time (like a snapshot of the past) to look at a fixed window of history.
  • Relative Time Ranges: You look at logs from a set amount of time ago until right now (e.g., "the last 15 minutes"), and the results update as time moves forward.
  • The "Now" Tab: A quick shortcut that resets your end time to the exact current moment to ensure you are seeing the most recent data available.



  • Histogram allows for interactive filtering where you can click and drag over specific bars to zoom in on a time period, instantly updating the document list to show only the logs from that selection.

  • This feature allows you to transition from a broad overview to a detailed analysis of specific seconds by dragging directly across the chart, instantly linking visual data insights with detailed event logs.


  • The final result is shown after zooming in. The time range has been reduced to 5 minutes, and the interval has been adjusted to 5 seconds to provide greater detail. This selection displays a precise count of 20,032 records.


In the sidebar, check the available fields. It's common to have hundreds of fields. Use the search at the top of that sidebar to look for specific terms in the field names. In this example, we’ve entered sou in the search field to find the source field


Select the Plus icon to add fields to the results table. You can also drag them from the list into the table.


Adding fields to the table will replace the existing Summary column. For example, if you add the source.user.name field.


When viewing a specific field value like source.user.name : User_A, you can use the following quick actions:

  • (+) Plus Icon: Filter for this exact value (Include).
  • (-) Minus Icon: Filter out this exact value (Exclude).
  • Clipboard Icon: Copy the value to your clipboard.
  • Expand Icon: Toggle the field view or add it as a column in your main results table.


You can use Kibana Query Language (KQL) in the search bar to find specific logs:

  • Field Search: Type a field name like source.user.name to see available operators.
  • Operators: You can search for an exact match using equals (:) or check if a field contains any data using exists (:*).
  • Logic: Use and to require multiple conditions or or to require at least one.


Yellow highlighting automatically marks every occurrence of your search term within the log results, making it easy to visually confirm matches and scan through the data quickly.


For a more controlled search, you can use the blue plus (+) icon next to the search bar to open the filter menu:

  • Select a Field: Start by choosing the specific metadata field you want to filter, such as user_agent.original.text.
  • Choose an Operator: Select a logical operator from the dropdown menu to define your search rule:
    • is / is not: To include or exclude an exact value.
    • is one of / is not one of: To check against a list of multiple values.
    • exists / does not exist: To find logs where the field is either present or completely missing.
  • Enter a Value: Input the specific text or data you are looking for in the final box.
  • Apply Filter: Once defined, the filter appears as a "pill" below the search bar, which you can easily toggle on, off, or pin to keep it active across different searches.


The Preview section allows you to verify your filter logic, such as [user_agent.original: chrome] , ensuring the rule is accurate before you apply it to narrow down your results.



Click the expand icon (diagonal arrows) to the left of the timestamp to instantly open a structured, comprehensive view of the individual log's metadata, enabling in-depth analysis of every available field not visible in the main summary table.


After clicking the expand icon, a detailed Document panel opens on the right side of the screen, providing a structured view of the specific log entry.



Format Options: You can toggle between a Table view for easy reading or a JSON view to see the raw data structure.



Adding a Filter from Log Details:

  1. Select the Field Value: First, locate the specific value you want to focus on, such as Windows 10 within the user_agent.os.full field.
  2. Apply the Filter: Click the blue plus icon (+) next to that value to create an inclusion rule.
  3. View Results on Table: The filter instantly appears as a "pill" at the top (e.g., user_agent.os.full: Windows 10), and the main table updates to show only the logs that match this specific operating system.



Switching to the JSON tab displays the raw data structure of the log, making it easy to see technical details and copy the code to your clipboard for troubleshooting.


Did this answer you question?