LogLogger4 should make it easier to access historical entries in logs, but if you want to look at anything beyond Time Machine backups, it is still not as simple as I would like. Here are some tips which I hope will help you get more out of it, and more relevant content from the logs. I will add to this as I gain more experience, and welcome suggestions from others as comments, please.

1. Predicate patterns

These are given as the setting in the Pattern popup, the Operator popup, and the Text. Where they use both sets of patterns, the Logical operator is then given before the second Pattern, Operator, and Text values. Convert them into predicates for the log command thus:
[Pattern] [Operator] [Text] [Logical] [Pattern] [Operator] [Text]
becomes
log show --predicate '([Pattern] [Operator] "[Text]") [Logical] ([Pattern] [Operator] "[Text]")'

Show messages from the kernel: processImagePath CONTAINS[c] kernel

Show Time Machine backup messages: subsystem == com.apple.TimeMachine AND eventMessage CONTAINS[c] backup
or processImagePath CONTAINS[c] backupd AND eventMessage CONTAINS[c] backup

Show power management messages about batteries: processImagePath CONTAINS[c] powerd AND eventMessage CONTAINS[c] battery

Show kernel messages about Bluetooth: processImagePath CONTAINS[c] kernel AND eventMessage CONTAINS[c] bluetooth

Show kernel messages about Thunderbolt: processImagePath CONTAINS[c] kernel AND eventMessage CONTAINS[c] thunderbolt

Show messages concerning preparations for sleep: processImagePath CONTAINS[c] apsd AND eventMessage CONTAINS[c] sleep

Show startups: eventMessage CONTAINS[c] BOOT_TIME

Show error messages: eventMessage CONTAINS[c] error

2. Additional options

Specify a time interval to be used for the log extraction by setting the Period (integer) value to 0, and adding an option of the following form to the Additional options text box:
--start '2016-09-30 06:58:10' --end '2016-09-30 06:59:00'
The date-time format is YYYY-MM-DD HH:MM:SS

To include debug messages, add
--debug
to the Additional options text box.

3. Strategies

a. Identify the time of interest. For the events leading to a restart, or problems arising during startup, identify the last startup time using
eventMessage CONTAINS[c] BOOT_TIME

For wake/sleep events, try variations on the theme of
processImagePath CONTAINS[c] apsd AND eventMessage CONTAINS[c] sleep
or
processImagePath CONTAINS[c] apsd AND eventMessage CONTAINS[c] wake

For app crashes, search for entries by the app, such as
processImagePath CONTAINS[c] MyAppName OR eventMessage CONTAINS[c] myappname

b. Investigate the period prior to or after the identified event. If you are going to limit the search using --start and --end, try to add at least a minute before the time of interest, and a minute after. So if the event period you’re interested in is 20:00:00 to 20:01:00, use
--start '2016-10-20 19:59:00' --end '2016-10-20 20:02:00'

Filter as specifically as you can using predicates, particularly if the period of interest is longer than a minute, or you could end up with a huge number of log entries. If you are at a loss as to know what to filter with, obtain a complete extract of all log entries for a minute before and after the event time, setting the predicate filter to none. That can still generate more than 65,000 log entries, but at least it’s a start! Then browse that extract and work out what filters to use.

Last updated 19 October 2016.