Groups are a way to represent a portion of your logs. Examples:
Create groups for different sets of senders (typically systems) that you frequently examine logs from.
Senders may be part of multiple groups. For example, a Web server in NYC may be in the groups “Web servers”, “NYC colo”, and “E-commerce site”.
Think of groups and searches as far more flexible equivalents to a log file name. Groups decide which senders should be examined. Searches can further refine the logs that you see from those senders (by log file name/program name and many other attributes, even sender).
When the account was created, Papertrail automatically added a group called All Systems or All Apps that contains every sender. When you create a new group, it will appear on the Dashboard along with that group.
Groups are sets of senders, typically systems. Searches can further constrain which log messages are shown, creating a view of only certain messages from the senders in that group.
A search examines the logs from the senders that are part of that group. When a group is created, Papertrail automatically includes an All events search for you. This search simply applies no further constraints. For example, clicking the All events search within the All Systems group shows all messages from all systems.
Frequently-used searches can be saved within the relevant group. For example, within a “DB servers” group, there might be searches called “Slow queries”, “Deadlocks”, and “UPDATE queries”, each of which provides a different filtered view of the logs.
To change a group’s name or add or remove senders, click the name of the group, like SJC datacenter in this screenshot:
On the group detail page, click Edit Settings & Membership in the upper right corner:
On the group settings page, add or remove individual systems by checking or un-checking the box next to the system.
The automatically-created group All Systems or All Apps is not editable.
Yes. See mapping senders to groups.
Yes. Imagine that one search needs to exclude logs from a sender that is a member of the group. For example, there is an existing group called “Web servers” that includes a sender called
www42. In one specific search in the “Web servers” group, logs from
www42 should be excluded.
Because this specific set of systems (“Web servers except www42”) is not frequently examined, it probably doesn’t justify creating a new group. In that case, use the search query to exclude logs from
abc def "something else" -sender:www42
This will run the
abc def "something else" search, but with an additional operator to exclude logs from any senders whose name contains