Search K
Appearance
Log Analyzer ​
Parses a plain-text log file and runs one of nine analysis modes to extract entries, detect anomalies, rank actors, reconstruct sessions, or summarize trends.
Purpose ​
Use this task when a workflow needs to derive insights from application, system, or server log files without requiring external tooling. The task supports both single-line log formats and multi-line event formats where continuation lines such as stack traces are grouped with their originating timestamp. Modes range from simple keyword filtering through to spike detection and field co-occurrence analysis, making the task suitable for security monitoring, usage reporting, and operational health checks.
Inputs ​
| Field | Type | Required | Description |
|---|---|---|---|
| Log File Path | Text | Yes | Absolute path to the log file to analyze, for example C:\Logs\application.log. |
| Mode | Dropdown | Yes | Analysis function to run. Options: Extract Log Entries, Spike Detection, Top Talkers, Session Reconstruction, Error Rate Analysis, Event Classification Summary, Field Frequency Analysis, Trend Analysis, Event Co-Occurrence. |
| Keyword | Text | No | Text that must appear in a line for it to be included. Used in Extract Log Entries mode. |
| Regex Pattern | Text | No | Regular expression applied to each line as an additional filter. Used in Extract Log Entries mode. |
| Max Results | Text | No | Maximum number of matching lines to return. Used in Extract Log Entries mode. |
| Event Keyword | Text | No | Word or phrase identifying the event to count or monitor. Used in Spike Detection and Top Talkers modes. |
| Identifier Regex | Text | No | Regular expression with a capture group that extracts the actor (user, IP address, etc.) from each line. Used in Spike Detection, Top Talkers, and Session Reconstruction modes. |
| Time Window (minutes) | Text | No | Duration of the sliding window used to detect a burst of events from a single actor. Used in Spike Detection mode. |
| Spike Threshold | Text | No | Minimum number of events within the time window that constitutes a spike. Used in Spike Detection mode. |
| Top N | Text | No | Number of top-ranked actors or field values to return. Used in Top Talkers and Field Frequency Analysis modes. |
| Session Start Keyword | Text | No | Phrase indicating the beginning of a session, for example logged in. Used in Session Reconstruction mode. |
| Session End Keyword | Text | No | Phrase indicating the end of a session, for example logged out. Used in Session Reconstruction mode. |
| Timestamp Regex Pattern | Text | No | Override pattern for detecting timestamp lines when grouping multi-line events. Leave empty to use the built-in default. Used in Event Classification Summary, Field Frequency Analysis, Trend Analysis, and Event Co-Occurrence modes. |
| Include Flattened Output | Dropdown | No | Set to true to include a UI-friendly flattened array of events with all extracted properties merged into each row. Used in Event Classification Summary, Field Frequency Analysis, Trend Analysis, and Event Co-Occurrence modes. |
| Field Name | Text | No | Name of the extracted property to rank by frequency, for example User or IP. Used in Field Frequency Analysis mode. |
| Time Bucket (minutes) | Text | No | Bucket size for grouping events into time slots, for example 60 for hourly aggregation. Used in Trend Analysis mode. |
Visibility Rules ​
Keyword is only shown when Mode is set to Extract Log Entries. Regex Pattern is only shown when Mode is set to Extract Log Entries. Max Results is only shown when Mode is set to Extract Log Entries. Event Keyword is only shown when Mode is set to Spike Detection or Top Talkers. Identifier Regex is only shown when Mode is set to Spike Detection, Top Talkers, or Session Reconstruction. Time Window (minutes) is only shown when Mode is set to Spike Detection. Spike Threshold is only shown when Mode is set to Spike Detection. Top N is only shown when Mode is set to Top Talkers or Field Frequency Analysis. Session Start Keyword is only shown when Mode is set to Session Reconstruction. Session End Keyword is only shown when Mode is set to Session Reconstruction. Field Name is only shown when Mode is set to Field Frequency Analysis. Time Bucket (minutes) is only shown when Mode is set to Trend Analysis. Timestamp Regex Pattern is only shown when Mode is set to Event Classification Summary, Field Frequency Analysis, Trend Analysis, or Event Co-Occurrence. Include Flattened Output is only shown when Mode is set to Event Classification Summary, Field Frequency Analysis, Trend Analysis, or Event Co-Occurrence.
Outputs ​
| Name | Description |
|---|---|
| AnalysisResult | Structured JSON result whose shape depends on the selected mode. For Extract Log Entries it is an array of matching lines. For Spike Detection it is an array of spike objects. For Top Talkers it is a ranked array of actor/count pairs. For Session Reconstruction it is an array of session objects with start, end, and duration. For Error Rate Analysis it is an object with totalLines, errorLines, and errorRate. For the multi-line modes it is an array of classified events, frequency counts, time-bucketed trends, or field-pair co-occurrence counts respectively. |
| Metadata | Object containing totalEvents and, when timestamps are present, a timeRange object with start and end values. Only present in Event Classification Summary, Field Frequency Analysis, Trend Analysis, and Event Co-Occurrence modes. |
| FlattenedEvents | Array of flat row objects combining timestamp, message, details, and all extracted properties. Only present when Include Flattened Output is set to true. |