Log literacy: Reducing log entries shown

The second reason for many not using the log, after the limited tools bundled in macOS, is the sheer volume of entries. Pick any arbitrary period of ten seconds or longer at any time your Mac’s awake, and you’re likely to be viewing thousands of entries. This article demonstrates tools provided in my free log browser Ulbow to address that, and help you see the wood for the trees.

Limit entries shown

The key tool for making log browsing practical is to limit the log entries shown in Ulbow’s window, using the option Limit entries shown in its View menu. While any given click on the Get log button can return tens or even hundreds of thousands of entries, this feature ensures that only the first thousand or so will be displayed in the window.

To help you get the full picture, two numbers are shown between the Now and Get log buttons:

The total number of log entries returned and stored in Ulbow, to the left. When shown in parentheses, those shown are being limited.
The number of those being displayed in the window below is shown, to the right.

If the first of those numbers is reasonably low, you can instantly display all entries by unticking Limit entries shown in the View menu. You can also adjust the limit in Ulbow’s Settings, although I suspect you’ll find the default value of around a thousand is about right for most situations.

Reduce the period

The simplest way to reduce the number of log entries returned is to reduce the Period over which to collect log entries. When you do that, you’ll need to click on the Get log button again. In Ventura and recent versions of macOS, you can reduce that time to as little as 1 second, although older versions of macOS become unreliable with periods less than a few seconds, and may omit log entries.

One technique that I sometimes use is to set a small Period, then step the relative to time by seconds, getting a fresh set of log entries each time. This is slow and painstaking, but can identify an event for which you don’t have a precise time.

Another more advanced technique only available in Ulbow is to use its Chart view: I’ll explain that in full detail in a future article.

Use a filter

The quickest way to select which entries to display is using a filter, entered in the Combo box in the upper row of controls. Here you can enter plain text to determine which entries are shown below. For example, let’s say you’re looking for a log entry likely to contain the word error in its message field. That’s one of the built-in filters, so all you have to do is open the filter popup menu and select the second entry in that list.

If you have Limit entries shown enabled, this only applies to those log entries already being shown. You can change that quickly, by disabling that in the View menu, and the list of log entries will then show all those in that log extract containing your search term. As this is a Combo box, you can also type your own search term in directly: try changing error to read noerror, then pressing the Tab or Return key. Note that filters are applied to the text appearing only in the message field of each log entry.

You can add your own filters to be retained in the popup menu in Settings, and those can also use regular expressions (regex). Open that dialog and set the Filters popup menu there to its last entry New…. Type the search term into the filter box, and give it a name (usually the same) in the name box. Then click on the Add button to add it to Ulbow’s preference settings. To use a regular expression instead of plain text for a filter, the first character of its name must be an asterisk *. Names of plain text filters accordingly mustn’t start with *.

Filters are quick, powerful but generally underused. They don’t need you to click on the Get log button to refresh the contents of the window.

Use a predicate

Predicates are the most powerful and versatile of all the methods of filtering log entries, and can be applied to any of the fields in log entries to build sophisticated filters applied when the log extract is obtained using the Get log button. Apart from their complexity, their major drawback is the need to get a fresh log extract each time.

A predicate is a condition that must be satisfied, and is based on the contents of specified fields in the log entry. They’re most commonly used to select only log entries from one or more subsystems, with their terms assembled into a compound logical expression. For instance, the predicate
subsystem == "com.apple.launchservices"
will return only those log entries with a subsystem of com.apple.launchservices. If you also want entries from another subsystem like RunningBoard, you can combine that in the compound predicate of
subsystem == "com.apple.launchservices" || subsystem == "com.apple.runningboard"
where || is logical or, and && is logical and.

For your convenience, Ulbow contains a list of all fields that can be used in a log entry and are usable in predicates. This is shown using the Field Help command in the Help menu, and depends on the version of macOS running.

As the Predicate control at the left end of the upper row of controls is another Combo box, you can type in any custom predicate. However, as these tend to become more complicated than filters, you may find it easier to add them to the predicates menu using Settings. To do that, select the New… item at the end of the popup menu in the top section, Predicates. Enter or paste in the predicate into its box, and give it a name in the name box, then click the Add button immediately below.

Pre-made predicates are the basis for most of the log windows available in Mints, and the predicates used for them are given in its Help book as examples for you to use in Ulbow.

Summary

Limit entries shown to around 1,000 to keep the list manageable.
Limit the Period to what’s manageable.
Type a filter term to list only those entries containing that text in their message field.
Filters are applied to entries shown; turn the limit off to view all with the filter applied.
To filter entries by contents of other fields, use a predicate.
Predicates are most useful for filtering by subsystem, and can be built into compound expressions.
Mints provides a range of useful predicates ready for use in Ulbow.
Combining techniques, with a short Period, a Predicate for subsystems, and a filter term, will bring order to chaos.

6Comments

Add yours

1

Simon on January 31, 2023 at 1:12 pm

I would be interested in reading about the differences between Ulbow and Mints. I’m curious which one is more suited to casual use – so just simple things like checking details of the last TM backup (assuming you don;t already have T2M2) or what error messages an app wrote when it crashed. Ulbow seems to be a rather detailed and powerful tool, but also one that requires you really learn how to properly use it. Is Mints perhaps the more “casual” app?

LikeLiked by 1 person
- 2
  
  hoakley on January 31, 2023 at 1:52 pm
  
  They’re quite different.
  Ulbow is a general purpose log browser, which gives you full access to logs from Sierra to Ventura. If there’s a log entry for it, then Ulbow can show it.
  Mints is a collection of tools for advanced users, among them some ready-made log browsers for specific subsystems within macOS. Those can’t be customised or extended: they only show entries from specific subsystems, according to their purpose. However, among them is one for Time Machine, which goes beyond the automated analysis provided by T2M2.
  For problems with third-party software, you’d need Ulbow.
  I hope that’s a useful distinction.
  Howard.
  
  LikeLike
  - 3
    
    Simon on January 31, 2023 at 2:54 pm
    
    Thank you, Sir. Exactly what I was looking for. Much appreciated, as always.
    
    LikeLiked by 1 person
4

Week 6 – 2023 – This Week In 4n6 on February 5, 2023 at 5:42 am

[…] Howard Oakley at ‘The Eclectic Light Company’Log literacy: Reducing log entries shown […]

LikeLike
5

prehensileblog on March 9, 2023 at 4:51 am

Can you translate the adding of the StageManager predicate to Ulbow shown above into steps, please? I tried it, but I get error 64 when I click the Get Log button. Is that because I’ve disabled StageManager for my Ventura system?

LikeLiked by 1 person
- 6
  
  hoakley on March 9, 2023 at 6:36 am
  
  No. That’s because that predicate is malformed.
  I’ll write a walkthrough to appear here at 0730 GMT on Friday.
  Howard.
  
  LikeLike