1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
# DTail usage examples
> Published at 2023-09-25T14:57:42+03:00
Hey there. As I am pretty busy this month personally (I am now on Paternity Leave) and as I still want to post once monthly, the blog post of this month will only be some DTail usage examples. They're from the DTail documentation, but not all readers of my blog may be aware of those!
DTail is a distributed DevOps tool for tailing, grepping, catting logs and other text files on many remote machines at once which I programmed in Go.
=> https://dtail.dev
```
,_---~~~~~----._
_,,_,*^____ _____``*g*\"*,
____ _____ _ _ / __/ /' ^. / \ ^@q f
| _ \_ _|_ _(_) | @f | ((@| |@)) l 0 _/
| | | || |/ _` | | | \`/ \~____ / __ \_____/ \
| |_| || | (_| | | | | _l__l_ I
|____/ |_|\__,_|_|_| } [______] I
] | | | |
] ~ ~ |
| Let's tail those logs! |
| |
```
<< template::inline::toc
## Commands
DTail consists out of a server and several client binaries. In this post, I am showcasing their use!
* Use `dtail` to follow logs
* Use `dtail` to aggregate logs while they are followed
* Use `dcat` to display logs and other text files already written
* Use `dgrep` to grep (search) logs and other text files already written
* Use `dmap` to aggregate logs and other text files already written
* `dserver` is the DTail server, where all the clients can connect to
## Following logs
The following example demonstrates how to follow logs of several servers at once. The server list is provided as a flat text file. The example filters all records containing the string `INFO`. Any other Go compatible regular expression can also be used instead of `INFO`.
```shell
% dtail --servers serverlist.txt --grep INFO --files "/var/log/dserver/*.log"
```
Hint: you can also provide a comma separated server list, e.g.: `servers server1.example.org,server2.example.org:PORT,...`
=> ./dtail-usage-examples/dtail.gif Tail example
> Hint: You can also use the shorthand version (omitting the `--files`)
```shell
% dtail --servers serverlist.txt --grep INFO "/var/log/dserver/*.log"
```
## Aggregating logs
To run ad-hoc map-reduce aggregations on newly written log lines you must add a query. The following example follows all remote log lines and prints out every few seconds the result to standard output.
> Hint: To run a map-reduce query across log lines written in the past, please use the `dmap` command instead.
```shell
% dtail --servers serverlist.txt \
--files '/var/log/dserver/*.log' \
--query 'from STATS select sum($goroutines),sum($cgocalls),
last($time),max(lifetimeConnections)'
```
Beware: For map-reduce queries to work, you have to ensure that DTail supports your log format. Check out the documentaiton of the DTail query language and the DTail log formats on the DTail homepage for more information.
=> ./dtail-usage-examples/dtail-map.gif Tail map-reduce example
> Hint: You can also use the shorthand version:
```shell
% dtail --servers serverlist.txt \
--files '/var/log/dserver/*.log' \
'from STATS select sum($goroutines),sum($cgocalls),
last($time),max(lifetimeConnections)'
```
Here is another example:
```shell
% dtail --servers serverlist.txt \
--files '/var/log/dserver/*.log' \
--query 'from STATS select $hostname,max($goroutines),max($cgocalls),$loadavg,
lifetimeConnections group by $hostname order by max($cgocalls)'
```
=> ./dtail-usage-examples/dtail-map2.gif Tail map-reduce example 2
You can also continuously append the results to a CSV file by adding `outfile append filename.csv` to the query:
```shell
% dtail --servers serverlist.txt \
--files '/var/log/dserver/*.log' \
--query 'from STATS select ... outfile append result.csv'
```
## How to use `dcat`
The following example demonstrates how to cat files (display the full content of the files) on several servers at once.
As you can see in this example, a DTail client also creates a local log file of all received data in `~/log`. You can also use the `noColor` and `-plain` flags (this all also work with other DTail commands than `dcat`).
```shell
% dcat --servers serverlist.txt --files /etc/hostname
```
=> ./dtail-usage-examples/dcat.gif Cat example
> Hint: You can also use the shorthand version:
```shell
% dcat --servers serverlist.txt /etc/hostname
```
## How to use `dgrep`
The following example demonstrates how to grep files (display only the lines which match a given regular expression) of multiple servers at once. In this example, we look after some entries in `/etc/passwd`. This time, we don't provide the server list via an file but rather via a comma separated list directly on the command line. We also explore the `-before`, `-after` and `-max` flags (see animation).
```shell
% dgrep --servers server1.example.org:2223 \
--files /etc/passwd \
--regex nologin
```
Generally, `dgrep` is also a very useful way to search historic application logs for certain content.
=> ./dtail-usage-examples/dgrep.gif Grep example
> Hint: `-regex` is an alias for `-grep`.
## How to use `dmap`
To run a map-reduce aggregation over logs written in the past, the `dmap` command can be used. The following example aggregates all map-reduce fields `dmap` will print interim results every few seconds. You can also write the result to an CSV file by adding `outfile result.csv` to the query.
```shell
% dmap --servers serverlist.txt \
--files '/var/log/dserver/*.log' \
--query 'from STATS select $hostname,max($goroutines),max($cgocalls),$loadavg,
lifetimeConnections group by $hostname order by max($cgocalls)'
```
Remember: For that to work, you have to make sure that DTail supports your log format. You can either use the ones already defined in `internal/mapr/logformat` or add an extension to support a custom log format. The example here works out of the box though, as DTail understands its own log format already.
=> ./dtail-usage-examples/dmap.gif DMap example
## How to use the DTail serverless mode
Until now, all examples so far required to have remote server(s) to connect to. That makes sense, as after all DTail is a *distributed* tool. However, there are circumstances where you don't really need to connect to a server remotely. For example, you already have a login shell open to the server an all what you want is to run some queries directly on local log files.
The serverless mode does not require any `dserver` up and running and therefore there is no networking/SSH involved.
All commands shown so far also work in a serverless mode. All what needs to be done is to omit a server list. The DTail client then starts in serverless mode.
### Serverless map-reduce query
The following `dmap` example is the same as the previously shown one, but the difference is that it operates on a local log file directly:
```shell
% dmap --files /var/log/dserver/dserver.log
--query 'from STATS select $hostname,max($goroutines),max($cgocalls),$loadavg,
lifetimeConnections group by $hostname order by max($cgocalls)'
```
As a shorthand version the following command can be used:
```shell
% dmap 'from STATS select $hostname,max($goroutines),max($cgocalls),$loadavg,
lifetimeConnections group by $hostname order by max($cgocalls)' \
/var/log/dsever/dserver.log
```
You can also use a file input pipe as follows:
```shell
% cat /var/log/dserver/dserver.log | \
dmap 'from STATS select $hostname,max($goroutines),max($cgocalls),$loadavg,
lifetimeConnections group by $hostname order by max($cgocalls)'
```
### Aggregating CSV files
In essence, this works exactly like aggregating logs. All files operated on must be valid CSV files and the first line of the CSV must be the header. E.g.:
```shell
% cat example.csv
name,lastname,age,profession
Michael,Jordan,40,Basketball player
Michael,Jackson,100,Singer
Albert,Einstein,200,Physician
% dmap --query 'select lastname,name where age > 40 logformat csv outfile result.csv' example.csv
% cat result.csv
lastname,name
Jackson,Michael
Einstein,Albert
```
DMap can also be used to query and aggregate CSV files from remote servers.
### Other serverless commands
The serverless mode works transparently with all other DTail commands. Here are some examples:
```shell
% dtail /var/log/dserver/dserver.log
```
```shell
% dtail --logLevel trace /var/log/dserver/dserver.log
```
```shell
% dcat /etc/passwd
```
```shell
% dcat --plain /etc/passwd > /etc/test
# Should show no differences.
diff /etc/test /etc/passwd
```
```shell
% dgrep --regex ERROR --files /var/log/dserver/dsever.log
```
```shell
% dgrep --before 10 --after 10 --max 10 --grep ERROR /var/log/dserver/dsever.log
```
Use `--help` for more available options. Or go to the DTail page for more information! Hope you find DTail useful!
E-Mail your comments to `paul@nospam.buetow.org` :-)
Other related posts are:
<< template::inline::rindex dtail
I hope you find the tools presented in this post useful!
Paul
=> ../ Back to the main site
|
