Until Apple introduced the Unified log in macOS Sierra, log files in OS X were conventional, and consisted of text with largely unstructured content.

A typical entry appeared as
01/10/2015 18:12:07.089 com.apple.xpc.launchd[1]: assertion failed: 15A284: launchd + 86915 [13D08717-B23A-38BE-85A6-085B051F8322]: 0x11
bearing the date and time stamp, identification of the process posting that log entry, and a long composite text message.

In the unified log in Sierra and later, log entries are like those in a structure database, each containing multiple fields. If you were to access the log using the popular ‘syslog’ style in the log show command, then this is what you’ll get from all that structure:
2022-08-25 15:22:01.008417+0100 localhost bluetoothd[1766]: [spid 0x291385ea6c83b460, process, begin] [com.apple.bluetooth:HIDProfileDispatch] HIDInterruptData: Before Dispatch
which is the date and time stamp, the name of the process and its ID, followed by a composite message, much as in the old unstructured logs.

There’s also a ‘default’ format:
2022-08-25 15:22:01.008417+0100 0x1590e Signpost 0x0 1766 0 [spid 0x291385ea6c83b460, process, begin] bluetoothd: [com.apple.bluetooth:HIDProfileDispatch] HIDInterruptData: Before Dispatch
which gives the date and time stamp, the thread ID, its type (here a Signpost), an activity ID, process ID, TTL, and the composite message.

Dumping all the key-value pairs for that entry reveals how much more there is to its contents:
"traceID" : 29708737644232966,
"eventType" : "signpostEvent",
"signpostID" : 2959856622001960032,
"signpostScope" : "process",
"source" : null,
"formatString" : "Before Dispatch",
"activityIdentifier" : 0,
"subsystem" : "com.apple.bluetooth",
"category" : "HIDProfileDispatch",
"threadID" : 88334,
"senderImageUUID" : "F3039BD4-853E-3A2D-9A25-789E1CA28E0F",
"signpostType" : "begin",
"backtrace" : {
"frames" : [
{
"imageOffset" : 4532348,
"imageUUID" : "F3039BD4-853E-3A2D-9A25-789E1CA28E0F"
}
]
},
"bootUUID" : "3644B96E-1DFD-4E4A-A0FC-D4A5BB5D29A4",
"processImagePath" : "\/usr\/sbin\/bluetoothd",
"timestamp" : "2022-08-25 15:22:01.008417+0100",
"senderImagePath" : "\/usr\/sbin\/bluetoothd",
"signpostName" : "HIDInterruptData",
"machTimestamp" : 490962333576406,
"eventMessage" : "Before Dispatch",
"processImageUUID" : "F3039BD4-853E-3A2D-9A25-789E1CA28E0F",
"processID" : 1766,
"senderProgramCounter" : 4532348,
"parentActivityIdentifier" : 0,
"timezoneName" : ""
My free log browser Ulbow can’t provide that verbose detail, though, and you’ll need to select the JSON style in Consolation 3 to obtain them all in that JSONised format.

Depending on what you’re looking for in the logs, you need different fields and some means of distinguishing them to make their reading easier. Thus one of the most important requirements to help you browse the Unified log is for custom style options, to determine which fields are displayed, and how.

Ulbow (and Consolation 3) provides Styles, to let you decide which fields are shown, and how each is coloured to aid their reading. Here are the same log entries to show what a difference styles can make.

These three Signposts are seen here in syslog style.

If you want full detail, adding a touch of colour and selecting eight different fields can be ideal, using the built-in starters+ style.

But for a quick look through, it’s better to minimise the detail, using basic+. This give just the abbreviated timestamp, subsystem, process IDs, and the message.

Ulbow and Consolation 3 come with their own built-in library of styles, and you can design your own in this section of their Preferences dialogues.

The Help book gives a full explanation of the codes used, and the Help menu lists all the different fields available. As they have changed since the first set was made available in Sierra, this may differ according to which version of macOS your Mac is running.

Tomorrow morning I’ll explain one of the most important fields, subsystems.