{{ summaryHeading }}
{{ primaryFigure }}
{{ summaryLine }}
{{ badge.label }}
Name the app, worker, API, or component represented by the pasted logs.
Balanced groups IDs and numeric values while preserving enough words for root-cause triage.
Paste log lines, JSONL, or a stack-trace excerpt; no data leaves the browser.
{{ params.log_text.length.toLocaleString() }} chars
{{ fileStatus || 'Drop LOG, TXT, JSON, or JSONL onto the textarea.' }}
{{ fileError }}
Use 5-15 for human triage; all counts still contribute to summary and JSON.
patterns
Set the count where a repeated fingerprint deserves a triage row.
events
Use smaller buckets for incident bursts and larger buckets for long slices.
min
Optional comma list, e.g. timeout, refused, deadlock, oom, unavailable.
Pattern Count Severity Share Window Example Copy
{{ row.pattern }}
{{ row.variableLabel }}
 {{ row.countDisplay }} {{ row.severityLabel }} {{ row.shareDisplay }} {{ row.windowLabel }} {{ row.example }}
No log events parsed yet.
Priority Signal Pattern Evidence Suggested next step Copy
{{ row.priority }} {{ row.signal }} {{ row.pattern }} {{ row.evidence }} {{ row.action }}
No triage rows are available until logs are parsed.
Tags: Devtools, Diagnostics, Text
Export to PDF Fullscreen
Customize
Advanced
:

Application logs are most useful when repeated events stand out from the stream. A short incident slice can contain request IDs, order numbers, stack frames, retry counters, and timestamps that make every line look different even when the same failure is happening over and over. Pattern analysis collapses those changing values so the recurring message is easier to see.

That matters during incident triage and post-deploy review. A service may show hundreds of individual log lines, but the practical question is usually smaller: which messages repeat, which ones carry error or warning severity, when did the burst happen, and which example line should be handed to the team that owns the service.

Flow diagram showing raw logs split into events, reduced to fingerprints, then summarized as a pattern ledger and triage signals.

Pattern grouping is not a replacement for traces, metrics, or full log search. It is a fast reduction pass. It helps decide where to look first, which repeated messages deserve suppression or alert tuning, and whether a noisy run is mostly one failure or many unrelated events.

The main caution is that a repeated pattern is evidence of repetition, not proof of one root cause. Two errors can share the same normalized wording while coming from different requests, tenants, hosts, or dependency states. A good triage note keeps the grouped pattern, severity, time window, and an original example line together.

Technical Details:

Log pattern analysis starts by turning raw text into event records. Each event needs a message body, and it becomes much more useful when a timestamp, severity, service name, and stack-frame context can also be found. Structured logs often expose those parts as fields. Plain text logs usually require pattern matching around prefixes such as timestamps, level words, and key-value pairs.

The pattern fingerprint is the important reduction step. Values that usually change from event to event, such as request IDs, user IDs, IP addresses, durations, long hexadecimal identifiers, and numeric counters, are replaced with placeholders. The remaining words form the signature used for grouping. That is why several payment errors with different order numbers can collapse into one row while a retry warning remains separate.

Severity is normalized into a compact set of levels: fatal, error, warn, info, debug, trace, and unknown. OpenTelemetry uses the same broad severity families, while syslog has its own numeric severity scale from emergency through debug. Real application logs mix these traditions, so the safest output treats severity as a triage cue and keeps the original example text nearby.

Stage Rule used here Why it matters
Event splitting Non-empty lines start a new event when they look like JSON objects, begin with a timestamp, or begin with a known level word. Indented stack lines, Caused by:, Traceback, and similar continuations stay attached to the current event. Stack traces stay tied to the error that produced them instead of inflating the event count.
Timestamp parsing ISO-style timestamps, slash-separated date-time prefixes, syslog-style month/day timestamps, and common JSON timestamp fields are recognized. Missing timestamps are kept as No timestamp. Time charts can show burst windows when timestamps exist, while untimestamped rows remain visible.
Severity parsing Level fields, severity fields, bracketed level words, line prefixes, and numeric level values are mapped to the normalized level set. Error and warning counts become comparable across mixed text and JSONL excerpts.
Message extraction JSON logs prefer message-like fields such as message, msg, and error.message. Text logs remove timestamp and level prefixes before fingerprinting the remaining message. The grouped pattern reflects the event text instead of the prefix decoration around it.
Critical terms When a line has no parsed level, matching terms such as timeout, refused, deadlock, oom, unavailable, or failed can elevate the event to error. Important failure wording is not lost just because the logger omitted a formal level.

Fingerprint detail changes how much variation is allowed inside one grouped pattern. A stricter pass keeps more literal wording and therefore produces more unique patterns. A coarser pass replaces more values and key-value pairs, which is useful when request-specific fields are hiding a repeated symptom.

Fingerprint detail Values collapsed Best use
Strict grouping URLs, UUIDs, long hex tokens, IP addresses, email addresses, durations, ID-like key values, and long numbers. Comparing nearly identical messages when small wording differences matter.
Balanced grouping Everything in strict mode, plus ordinary numbers, long quoted values, and path-like strings. The safest first pass for incident slices with request IDs, counters, status codes, and paths.
Coarse grouping Everything in balanced mode, plus general key-value values and longer bracketed or parenthesized values. Finding repeated symptoms when structured fields make most lines look unique.

The count and time calculations are deterministic. Each parsed event contributes to one fingerprint. The pattern share is the pattern count divided by the total parsed events. A pattern becomes a noisy pattern when its count is greater than or equal to the selected noisy threshold. The pattern limit affects the visible ledger and frequency chart, but the summary, JSON data, and noisy-pattern calculation still use all parsed events up to the browser limit.

Boundary Value or rule Interpretation
File size Selected log files must be under 2 MiB. Use a focused excerpt rather than a whole archive.
Parsed-event cap At most 10,000 events are analyzed in one browser run. Skipped events are reported so large excerpts do not silently distort the result.
Pattern limit 1 to 25 visible patterns. Controls the ledger and frequency chart, not the full event count.
Noisy threshold 2 to 500 events, inclusive. Patterns at or above this count become repeated-noise or recurring-failure candidates.
Time interval 1 to 120 minutes. Timestamped events are grouped into interval starts; missing timestamps are grouped separately.

Everyday Use & Decision Guide:

Start with one service slice and leave Fingerprint detail on Balanced grouping. A service name such as payments-api is only a label for the result and exports, but it helps keep copied rows attached to the right application when several teams are sharing notes.

Paste a short incident window into Application logs or load a LOG, TXT, JSON, or JSONL file. The file is read in the browser, and the log text is not uploaded for the analysis. If the excerpt is empty, the page asks for at least one application log line. If no timestamps are parsed, the severity time view still works, but it can only show the untimestamped group.

  • Use Pattern Ledger first. The highest-count rows show the repeated messages, their severity, share of the excerpt, time window, and one example line.
  • Open Noise Triage when the first decision is what to investigate. P1 and P2 rows point to fatal or error patterns, P3 rows point to repeated warnings, and lower-priority rows usually describe baseline or tuning work.
  • Raise Noisy threshold when a busy service produces too many repeated low-value rows. Lower it when a short excerpt has only a few events but still needs attention.
  • Switch to Coarse grouping when most events are unique because of IDs, path fragments, or key-value noise. Switch to Strict grouping when you need to preserve small wording differences.
  • Use Critical terms for logs that omit levels but contain words such as deadlock, timeout, or unavailable.

Do not suppress or route an alert from the count alone. Pair the pattern with its example line, the Window, and the suggested next step, then confirm against traces, dependency health, or deploy history before treating the row as a root cause.

Step-by-Step Guide:

Use a focused excerpt so the grouped patterns describe one incident, deploy window, service component, or recurring warning class.

  1. Enter a label in Service name, such as payments-api, so the exported summary and JSON identify the log source.
  2. Leave Fingerprint detail on Balanced grouping for the first pass unless you already know the log format needs strict or coarse matching.
  3. Paste text into Application logs, drag a supported file onto the textarea, choose Browse log, or press Load sample. If the page shows Paste at least one application log line or load the sample., add source text before reading results.
  4. Use Normalize spacing if pasted text has trailing spaces or extra blank gaps that make the excerpt harder to scan.
  5. Open Advanced only when the first pass needs tuning. Set Pattern limit for the number of visible rows, Noisy threshold for repeat detection, Time bucket for timestamp grouping, and Critical terms for failure words in logs without formal levels.
  6. Read the summary line. It reports error/fatal count, warning count, noisy patterns, and total parsed events.
  7. Review Pattern Ledger for grouped messages, then Noise Triage for priority, evidence, and suggested next step.
  8. Use Log Pattern Frequency and Severity Time Buckets when the count distribution or burst timing will help explain the incident.
  9. Open JSON when another workflow needs the normalized settings, summary, ledger rows, triage rows, and time buckets in structured form.

A useful finish is a short note with the top pattern, its count, severity, time window, and one copied example line.

Interpreting Results:

The top count is the first signal, but the severity and example line decide whether that signal is actionable. A repeated debug or info pattern may be harmless baseline noise. A smaller error pattern can matter more when it lines up with a user-visible outage, deploy, or dependency incident.

  • Pattern is the normalized message signature. Placeholder tokens such as <num>, <id>, <ip>, or <path> mean variable values were collapsed before grouping.
  • Count is the number of parsed events in that pattern. It is not the number of users affected or requests failed.
  • Severity is the highest meaningful severity seen in the group, with unknown used when no level or critical term was found.
  • Share shows how much of the pasted excerpt belongs to the pattern. A high share can mean one dominant failure, but it can also mean the excerpt was already filtered around that failure.
  • Window depends on parsed timestamps. If it says No timestamp, use the original log source or collector time before making burst-timing claims.

Noise Triage rows are practical hints, not incident severity declarations. P1 and P2 point to fatal or error rows that deserve correlation. P3 marks repeated warnings at or above the noisy threshold. P4 often means baseline noise, fingerprint tuning, or partial timestamp coverage. P5 means the excerpt looks baselineable under the current settings.

When High unique-pattern ratio appears, the current fingerprint setting is probably too strict for the excerpt or the logs need more consistent structured fields. Try Coarse grouping, then compare whether the top rows now describe real repeated symptoms instead of unrelated messages merged together.

Worked Examples:

Payment provider errors after checkout

A slice from payments-api contains three lines like ERROR ... charge failed status=502 provider=stripe, each with a different request or order ID. With Balanced grouping, those variable values collapse and the ledger shows one repeated error pattern with a count of 3. Because the default Noisy threshold is 2, Noise Triage marks it as a recurring failure pattern and suggests correlating the sample requests with traces, dependency status, and recent deploys.

Stack trace excerpt with continuation lines

An error line is followed by indented at ... frames and a Caused by: line. The continuation lines stay attached to the current event instead of becoming separate patterns. The ledger count remains tied to the actual error event, while the JSON summary can still show that stack-frame events were present. If the first line has no timestamp, the timeline groups it under No timestamp.

Too many unique patterns after a strict pass

A Kubernetes worker emits one warning per job, and each message includes a job ID, path, duration, and attempt counter. With Strict grouping, most rows stay unique and Noise Triage may report a high unique-pattern ratio. Switching to Coarse grouping collapses more key-value values, making it easier to see whether the warnings are one repeated retry symptom or many unrelated job failures.

FAQ:

Can I paste JSON Lines logs?

Yes. Each JSON object line is parsed as one event when it can be read as JSON. Message-like fields, timestamp fields, severity fields, and service fields are preferred when present.

Why did the same error split into several patterns?

The fingerprint setting may be too strict for the values that change in your logs. Try Balanced grouping first, then Coarse grouping if IDs, paths, quoted values, or key-value fields still keep related events apart.

Why did unrelated messages merge into one pattern?

The grouping may be too coarse for this excerpt. Switch to Strict grouping when the wording difference itself matters, then compare the example lines before trusting the count.

What happens when timestamps are missing?

The events still count toward patterns and severity totals, but the time chart groups them as No timestamp. Normalize logger timestamps before using the result for burst timing.

Does the analysis upload my logs?

No. Pasted text and selected files are read in the browser for the analysis. Avoid pasting secrets anyway, because exported tables, copied rows, shared URLs, browser history, and screenshots can still spread sensitive log content.

Why does the page warn about skipped events?

Only the first 10,000 parsed events are analyzed in one run. If the warning appears, trim the excerpt to the incident window or split the log into smaller slices before comparing patterns.

Glossary:

Fingerprint
A normalized message signature created after variable values such as IDs, numbers, paths, and addresses are replaced with placeholders.
Pattern
A group of events that share the same fingerprint.
Noisy threshold
The minimum count that makes a repeated pattern appear as noise or a recurring failure candidate.
Severity
The normalized level assigned to an event, such as fatal, error, warn, info, debug, trace, or unknown.
JSON Lines
A text format where each non-blank line is a separate JSON value, often used for structured logs.
Time bucket
A fixed interval used to group timestamped events for the severity timeline.

References: