05 Dec 2023 12:00 PM - last edited on 11 Mar 2024 06:16 PM by donald_ferguson
We are migrating from a third-party tool to Grail.
We have already started ingesting logs into the dev tenant. The first question: What syntax can I use in Matcer (DQL) so that 100% of the logs go to the created bucket?
Second question, how do I know that Matcher(DQL) is working correctly? How do I know that logs are being pushed to the specific bucket, with the retention period I configured on the bucket? How do I know how many GB are in this bucket?
Solved! Go to Solution.
06 Dec 2023 08:48 AM
Hi @WellPP
If you want all logs to go to another bucket, then you need to use following matcher
isNotNull(content)
If you want to verify in which bucket a record is stored, just add to the query dt.system.bucket
fetch logs
| fieldsAdd dt.system.bucket
To know how much data is being retained in all log buckets, go to accout manageemtn -> subscription -> overview -> then click on details for "Log management an analytcs - retain".
Best,
Sini