vRLI Cloud: KB Insights, Live Tail, and Log RCA
VMware vRealize Log Insight Cloud (vRLI Cloud) was introduced back in 2020. Since then VMware has released new versions on a roughly monthly cadence. vRLI Cloud development is done cloud first, so new features are introduced in vRLI Cloud before vRLI. Three of these features are KB Insights, Live Tail, and Log RCA.
KB Insights - introduced in May 2021, KB Insights provides KB articles as solutions for problems found in your logs. It uses a combination of a set of processes and Machine Learning methods to discover errors or exceptions. Documentation can be found here.
Log RCA - still in Beta, Log RCA provides the framework around which you can perform Root Cause Analysis with vRLI Cloud.
Let's explore KB Insights! Found under the Analytics tab, KB Insights automatically discovers errors and exceptions in the logs and proposes solutions based on published KBs.
My vRLI Cloud instance has discovered 28 errors/exceptions and potential fixes via published KBs. Let's explore the first one, clicking the link shows us the details.
At the top you'll see there are 230 occurrences of this error/exception and a graph representing their occurrence over time. In the middle are the Suggested Solutions, these are the KBs detailing potential fixes, clicking the KB link takes you to the article itself. If the KB was helpful give it a thumbs up, if not, give it a thumbs down. This will help to refine the vRLI Cloud Machine Learning algorithm. At the bottom you'll see all of the logs, similar to what you would see in Explore Logs.
Top right you can always click the EXPLORE LOGS button to see the query itself and all log entries.
Back at the KB Insights tab there are a couple more options. First, you can can compare the errors/exceptions (up to four) via the ACTIONS dropdown.
Click Compare as Queries and you'll see them in context.
The three dots next to each error/exception will give you the option to run the query behind them, save the query as an alert, or save the query itself.
The next vRLI Cloud feature we'll explore is Live Tail. Introduced in June 2021, Live Tail allows you to explore logs in real time. Under its own tab in the left pane, put something in the search box and hit enter to start your tail.
The Stream represents all log entries with the string "error" in them. Live Tail allows you to search all logs for a certain string in real time, providing you with very wide coverage from a single point of entry. You have the ability to search using saved queries via the OPEN SAVED QUERY at the top or favorite queries via the Favorite dropdown. Live Tail supports Index Partition searches as well, allowing you to run highly efficient tails pointed at just the logs you want.
To enrich your Live Tail, you have the ability to add fields to your Stream at anytime via the icon just below Stream.
Exploring logs as you normally would is always available via the EXPLORE Logs button top right.
Back under the Analytics tab, you'll find the most recent feature in vRLI Cloud, Log RCA, which is in BETA at this point.
Log RCA allows you to create and save RCA activities for future reference and/or audit purposes. To begin a RCA click the NEW INVESTIGATION button top right.
I've given my investigation a Name, Context, Incident Data and Time, Period, and Log Sensitivity. This tells vRLI Cloud where, when, and how much to look for around the time of your Incident. The fields are fairly self-explanatory, but hovering over the information bubbles will give you more details.
Click the START button top right and your Investigation will be generated.
Once complete your Investigation will have a little green circle next to it. For details, click on the Investigation Name.
You are given Top Activities around the specified time period, sorted by Score with the number of Messages, and the number of Key Terms in each. There will be more to come on Log RCA as it progresses through the BETA program.
vRLI Cloud (and other vRealize Cloud Services) are being updated roughly monthly at this point, so if you're missing a feature today, be sure to open a feature request. Chances are you'll have it sooner than later. For more information on vRLI Cloud go here!