hoakley February 7, 2023 Macs, Technology, Updates

Gaining control over the log with a new version of Ulbow

Late last year, I drew attention to a problem with the log in many, perhaps most, Macs running Ventura: if your Mac is running, and not asleep, for long periods, it fills its log up to the point where this limits its usefulness. This first became apparent when checking the log for XProtect Remediator scan reports; as these are normally run once a day, if your Mac’s log can’t look back at least 24 hours, then it may not be possible to check those scans.

This problem arises because, unlike most log systems, macOS doesn’t keep old logs for a fixed period, but limits the size of the log folders stored on disk instead. The more log entries that are written to those files each hour, the shorter the period they can cover. When the Unified log was brand new, in macOS Sierra, most Macs retained complete logs for 20 days or more. Since then, macOS has been writing more and more to the log, so shortening the period the log can cover.

Late last year, I discovered some Macs, including one of mine, whose logs went back significantly less than 24 hours, and in a few extreme cases for less than 12.

There is a solution, though: you can change the log’s preferences to mute entries from specific subsystems. Currently, in Ventura 13.2, one of the major culprits is Bluetooth, in the subsystem com.apple.bluetooth, which is running riot in the log, writing copious entries even when everything seems to be working fine. So one good plan might be to mute com.apple.bluetooth in the log’s preferences.

Even with the likes of Ulbow, it can be hard to establish which subsystems are the chattiest, and to assess whether muting them has been a success. So, inspired by Don’s recent experiences, I have a new version of Ulbow to help you with this and other problems.

Assessment

Although you can use Ulbow’s new Frequency view with other settings, if you want to clean your log up I suggest you follow these steps to assess it. You’ll need to do this with Enable Chart View ticked in the Ulbow menu, as the Frequency view relies on the same log analysis performed to support charts.

In the View menu, untick Get info messages and Get Signposts, as we’re primarily concerned here with regular log messages. Also ensure that Show Signposts and Activities are unticked. As we’ll be fetching quite a few log entries, I recommend that you Limit entries shown throughout.

Set a Period of 5-10 minutes to start with, at a time when your Mac wasn’t exceptionally active (such as during startup), but was awake the whole time. With none set for the Predicate, click on Get log, aiming to see the first number in parentheses, giving the total number of log entries obtained, between around 100,000 and 200,000, and no more than 400,000 at most.

Chart and Frequency views rely on a second background parsing of all the log entries, so wait a few seconds after the entries appear in the log view below. Then use the newly enabled Open Frequency command in the Window menu to open this new view.

There you’ll see a list of all the subsystems found in that log extract, with the number of log entries given for each, and in descending order of frequency. In this case, the most frequent had no subsystem given, and the most used subsystem was com.apple.containermanager, with 14,202 log entries in the period.

Treatment

If you want to, you can craft your own property lists to mute the subsystems of your choice, or use the log config command in Terminal to do that for you. Ulbow, though, now makes that easier still.

The popup menu at the top of the Frequency view lists all the subsystems found in that log excerpt in alphabetical order. Select the one you want to mute, and click the Save button.

Ulbow then creates the appropriate property list to mute that subsystem, ready for you to install in the Preferences folder. Because this has to go in a protected folder, drag and drop it into /Library/Preferences/Logging/Subsystems, where you’ll be required to authenticate (which is why you shouldn’t try to save it there directly).

Carry on using your Mac as normal, and an hour or so later check another 5-10 minute section of log, written well after you muted the subsystem(s), and you should at least see a marked reduction in the log entries from those subsystems.

Bluetooth woes

My own experience of using this with Ventura 13.1 was near-instant relief, but 13.2 doesn’t appear as well behaved. Despite trying to mute com.apple.bluetooth, and another subsystem, they continue to write to the log, although at a lower frequency. Muting other subsystems works better, so I’m unsure whether this is just a bug in 13.2, or something else.

Ulbow and huge logs

I get occasional reports of Ulbow crashing when trying to work with huge log extracts, and experienced one myself while testing this new version. The underlying cause is trying to work with too many log entries. At first I was keen to enforce a limit within Ulbow, but on further testing and reflection, I’m now reluctant to do so.

At times, Ulbow can work perfectly well, including its Frequency and Chart views, with around 750,000 log entries. At other times, it becomes extremely sluggish or crashes when there are ‘only’ 500,000. To safely prevent crashing, I’d have to set an upper limit of around 400,000, even though I know there are times when it will work fine with many more.

Perhaps it’s best to appreciate that Ulbow should be stable and, given a reasonably capable Mac, handle responsively with up to 200,000 log entries. If you take it above that, the risk of it crashing starts to increase, and more than 500,000 is definitely a gamble. I hate to stop anyone pushing Ulbow where it can go, so would rather not build in an arbitrary limit unless I have to.

Update

Ulbow version 1.10, with its new Frequency view, and running on High Sierra to Ventura, Intel and Apple silicon, is now available from here: ulbow110 (updated to latest version 1.10)
from Downloads above, from its Product Page, and via its auto-update mechanism.

I hope you find it useful.

38Comments

Add yours

1

Milo on February 7, 2023 at 10:23 am

When I try to retrieve the logs from the past 10 minutes for the ‘com.apple.bluetooth’ subsystem, I get the following error message:

log command returned error number 64

There is no mention of this error in the documentation. Do you have an idea what could be the problem here?

LikeLiked by 1 person
- 2
  
  hoakley on February 7, 2023 at 10:30 am
  
  Have you run Check log in the Ulbow menu? That runs diagnostic tests. The Help book has further information.
  Howard
  
  LikeLike
  - 3
    
    Milo on February 7, 2023 at 10:42 am
    
    Output from the Check log:
    
    ‘The log show command appears to be working correctly.’
    
    Ulbow does retrieves a log extract with predicate set to ‘none’. When I put ‘com.apple.bluetooth’ into the predicate textbox, I get an error.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on February 7, 2023 at 10:44 am
      
      That’s because that isn’t a valid predicate. See the Help book and my articles here for full instructions.
      Howard
      
      LikeLike
    - 5
      
      Milo on February 7, 2023 at 10:51 am
      
      You are of course correct. Sorry for the false alarm.
      
      subsystem == “com.apple.bluetooth”
      
      works as expected as a predicate.
      
      LikeLiked by 1 person
    - 6
      
      hoakley on February 7, 2023 at 10:54 am
      
      Well done. I’m sorry predicates are more complex, but they’re also very powerful.
      Happy browsing!
      Howard
      
      LikeLike
7

Don on February 8, 2023 at 2:37 am

Awesome article Howard, and thanks for the new Ulbow update and shout out! I am on this first thing tomorrow!

LikeLiked by 1 person
- 8
  
  hoakley on February 8, 2023 at 12:35 pm
  
  Thank you.
  Howard.
  
  LikeLike
  - 9
    
    Don on February 8, 2023 at 1:45 pm
    
    HI Howard, I did the whole process this morning, I muted 5 subsystems via the app, so I’ll watch and see how things improve in the next day or two. I am starting from 1.2-1.5 days’ worth of log entries now. I checked it an hour after I did the work in this article, and [nil] was by far the most frequent; I went from 220K entries in the prior 10 minutes before the changes to ~150K to ~100K!
    
    I have some questions/comments if you have the time, thanks either way Howard!
    1) Do you think after using the app to mute and copying into the subsystems folder, a restart is recommended? I always do one, since the general Apple article on plists says “if necessary” – which implies it depends on what plist is changed…
    2) I couldn’t find any info on this – are the plists in the subsystems folder plists that have been user modified? So then, if I chose to “unmute” one of those subsystems so I can see its log entries in the future, do I just delete the file in that folder (maybe with a restart) or unmute in another way? I wonder about this because it appears that folder only contains plists that I have modified. I know I can unmute via log config, I was wondering about the ULBow app and deleting from the folder directly.
    3) It seems that the settings you reference in the app, Get Signposts, Get Info Messages, Show Signposts, Show Activities, don’t persist across app starts. Other menu bar settings do (ex. Enable Chart View, Limit Entries Shown, etc.), it might be nice to persist those settings too from their last setting, to avoid user mistakes.
    
    All in all a great article and great enhancement to ULBow, thanks again!
    
    LikeLiked by 1 person
    - 10
      
      hoakley on February 8, 2023 at 2:05 pm
      
      Thank you.
      1. I don’t know. Apple doesn’t recommend a restart, and I suspect that logd, the service responsible, responds to changes in those folders. On the other hand, a restart doesn’t hurt.
      2. Those that were there before you added any were installed by macOS. You can simply remove or delete them if you wish, but that of course will increase log entries again. AFAIK the log config simply provides an easy way to create, change, and remove those property lists, and that’s how it works. So changing them directly is every bit as good as using the command.
      3. Ah but they will be saved if you use the Save as Defaults command in the Ulbow menu. Because many of us using Ulbow like standard default settings each time we use the app, rather than saving the current settings for the next launch, you decide how its standard settings will be when you save them using that command. Isn’t that better?
      Howard.
      
      LikeLike
    - 11
      
      Don on February 8, 2023 at 2:10 pm
      
      1) Thanks – I’ll keep experimenting a little with it over time.
      2) After I posted this I thought about a way to find out – so I used config log –status, saved a new subsystem in ULBow, verified in config log –status that persist was off, then I deleted the plist file in subsystems, then again checked config log –status, and persist was default! So deleting the plist file in subsystems does unmute it (if that’s ever needed course).
      3) “Save as defaults” – perfect! Thanks
      
      LikeLiked by 1 person
    - 12
      
      Don on February 9, 2023 at 4:21 pm
      
      One interesting thing, it does seem like there is no true “mute” of many of the subsystems, they still continue to post some – as Howard mentioned in the article. I saw an interesting one today though – I muted com. apple.runningboard per the article’s instructions, and just now I checked the frequency of entries in the last hour, and running board had 179,000 entries! I did use log config –status to ensure the status was still PERSIST_OFF. Very strange! That’s a lot of entries…
      
      LikeLiked by 1 person
    - 13
      
      hoakley on February 9, 2023 at 6:07 pm
      
      Thank you. I’m sure in the past, even just in 13.1, this was better. Still, it’s all we can try.
      Howard.
      
      LikeLike
    - 14
      
      Don on February 9, 2023 at 6:10 pm
      
      Yes, maybe they will fix it in the next release, or improve it. That said, I have gone from 1.2-1.5 days of events in the log (originally 0.7 before I started any of this) to 1.8 in the last 24 hours, and I have no trouble seeing XPR scans in Silent Knight now – so all is good (thanks to all your great articles and advice!)
      
      LikeLike
15

charlie on February 8, 2023 at 3:57 am

Thank you Thank you Thank you Thank you!!!!!

The Frequency feature is something I’ve been trying to figure out how get to but found no easy solution that didn’t require multiple steps. I tried using “log stats” but I found as did yourself that it is a bit buggy and the info not very useful. I mentioned doing something like Frequency with your tools in previous blog entries (something similar to a SQL aggregate query to count message types and order by count descending), but I must have worded it poorly…

What I’m seeing seems very similar to you: With MacOS Ventura 13.2 on Intel MBP 2018, here are my top entries (> 10,000) for a 10 minute period from about an hour ago (to ensure I’m getting entries persisted to files and not from memory)

86532 [nil]
28764 com.apple.runningboard
26515 *kernel*
24004 com.apple.bluetooth
23039 com.apple.amp.mediaremote
18292 com.apple.containermanager
14891 com.apple.network
13895 com.apple.securityd
10848 com.apple.calls.telephonyutilities
10809 com.apple.launchservices
10083 com.apple.SkyLight

I do have bluetooth turned off but they still show up (as you mentioned):

sudo log config –status –subsystem com.apple.bluetooth
Mode for ‘com.apple.bluetooth’ DEFAULT PERSIST_OFF

I actually configured a fair amount to off a month or so ago:

tree /Library/Preferences/Logging/Subsystems
/Library/Preferences/Logging/Subsystems
├── com.apple.SkyLight.plist
├── com.apple.WebBookmarks.plist
├── com.apple.WebInspector.plist
├── com.apple.WebKit.plist
├── com.apple.bluetooth.plist
├── com.apple.cache_delete.plist
├── com.apple.coreanimation.plist
└── com.apple.iohid.plist

I get about a day or so worth of logs now when laptop is on all day (a small victory):

The oldest log entry has a datestamp of 2023-02-07T02_43_46Z, 1.041 days ago.

And I can now see pretty reliably that XProtect Remediator is running 🙂

WRT crashing that you describe, I wonder if that might have to do with memory fragmenting after running multiple large queries? I don’t develop on MacOS so not sure about garbage collection, but in Windows/C# I’ve seen stuff like this when the garbage collector isn’t taking care of business…

Thanks again 🙂

LikeLiked by 1 person
- 16
  
  hoakley on February 8, 2023 at 12:40 pm
  
  Thank you.
  The crashing is only to be expected, as the app manipulates huge dictionaries. GC isn’t the same problem in macOS, at least not when using Swift, thankfully, but sorting a dictionary with half a million entries can be sometimes!
  Howard.
  
  LikeLike
- 17
  
  Don on February 11, 2023 at 12:37 pm
  
  Keep it up – your log will get even better over time – it does seem it takes time (per your other post). Plus, restarts may help – I have starting doing them after I added a new subsystem. BTW, I have muted 45 subsystems that at one point or another have dumped tons of messages into the log! I don’t need them, and I can always turn them back on if something changes. There have been some amazing “abuses” of the log lol – like Photos dumping a quarter of a million messages in there, in a 10 minute period – and no errors! Yikes! Since I started this, as of this morning I have now gone from 0.8 days in the log to 2.9 days in the log! Wahoo! And I can see the last 48 XPR scans (no problems found) in Silent Knight. Think of the unnecessary processing that is being eliminated on a computer…..Thanks again to Howard for this gem of research!
  
  LikeLiked by 1 person
  - 18
    
    hoakley on February 11, 2023 at 4:39 pm
    
    Thank you.
    Howard.
    
    LikeLike
19

Don on February 8, 2023 at 5:28 pm

One other possible best practice I am using – for now I am checking the frequency about every hour, to aggregate 60 minutes worth. I do this because I found there could be some one-off subsystems dropping a ton of messages in – like com.apple.photos.cpl, com.apple.photos.backend, and others than came out of nowhere – the photos subsystems came out of nowhere and dropped 200K events in my Unified log within an hour! As my mom taught me as a little kid, “Don’t speak unless you are spoken to”. Mute!

LikeLiked by 1 person
20

charlie on February 11, 2023 at 11:59 am

One comment about how long it takes to “see” the effects of adding a plist file to mute log messages. It seems at least here on my MBP with 13.2 that it takes about 20 minutes before messages in memory are flushed to the disk. So it takes at least that long to see the effects here.

Now a question: I have bluetooth (and a couple of others) muted via plist file created with latest Ulbow in and placed in /Library/Preferences/Logging/Subsystems:

tree /Library/Preferences/Logging
/Library/Preferences/Logging
├── Processes
├── Subsystems
│   ├── com.apple.SkyLight.plist
│   ├── com.apple.WebBookmarks.plist
│   ├── com.apple.WebInspector.plist
│   ├── com.apple.WebKit.plist
│   ├── com.apple.bluetooth.plist
│   ├── com.apple.cache_delete.plist
│   ├── com.apple.containermanager.plist
│   ├── com.apple.coreanimation.plist
│   └── com.apple.iohid.plist
└── com.apple.system.logging.plist

Checking log config makes sense:

sudo log config –status –subsystem com.apple.bluetooth
Mode for ‘com.apple.bluetooth’ DEFAULT PERSIST_OFF

When I search a Ulbow log for a 10 min window from 30 minutes ago using predicate

subsystem == ‘com.apple.bluetooth’

I get 0 messages returned. Again as expected.

My question comes when I look at the new Frequency window. For the same log window mentioned above, I open a new Frequency window and I get

168850 [nil]
88249 com.apple.containermanager
58142 com.apple.WebKit
56446 com.apple.launchservices
53474 com.apple.network
52929 *kernel*
49415 com.apple.bluetooth <—————————-<<<<<<<<
47334 com.apple.runningboard
36206 com.apple.mDNSResponder
25814 com.apple.calls.telephonyutilities
23532 com.apple.securityd

So I'm wondering why the Frequency window reports 49415 bluetooth messages when searching with the predicate displays no messages?

LikeLiked by 1 person
- 21
  
  Don on February 11, 2023 at 12:38 pm
  
  Great question! I have wondered too.
  
  LikeLiked by 1 person
- 22
  
  hoakley on February 11, 2023 at 4:39 pm
  
  Thank you.
  
  “it takes about 20 minutes before messages in memory are flushed to the disk”
  I’d be interested to know how you estimated that. You can’t tell that from Ulbow or log show, as they simply show all the log entries available, whether they’re in memory or written to disk.
  
  The reason for the differences you’re seeing in frequencies is because of the settings in the View menu. Here’s a test to explain that.
  1. Open Ulbow, set it to show around 20 seconds of a time about 2 minutes or so ago. Then in the View menu, *un*tick everything except Show log entries. Then click on Get log.
  2. Open a new window, then copy and paste the time from the first window to it (click in the date-time of the first, Cmd-C, then click in the date-time of the second and Cmd-V), and for the same period, so the two windows’ settings are identical. Select the second window, and change the View settings for that so only the following are ticked: Get Info messages, Get Signposts, and Show log entries. Then click on its Get log button.
  In my test here, the first window, which doesn’t contain any Info messages, has just over 20,000 log entries, while the second, which does contain Info messages and includes (but doesn’t show) Signposts has over 55,000.
  You can also open Frequency windows for each to see how that changes the results there.
  If the View menu is set to Get Info messages and Signposts, it makes a big difference – and that’s why the View menu is there, and is window-specific.
  Howard.
  
  LikeLike
  - 23
    
    hoakley on February 11, 2023 at 10:00 pm
    
    I have an article about this, coming on Monday.
    Howard.
    
    LikeLike
  - 24
    
    charlie on February 12, 2023 at 8:12 am
    
    “I’d be interested to know how you estimated that.”
    
    I set predicate to “subsystem == ‘com.apple.bluetooth'”, period to -1 minutes, clicked “now” and then changed the time to 20 minutes ago (adjusting hours and minutes as required), and then pressed “Get Log”. I then adjusted the minutes plus or minus a minute or two until I got 0 log messages displayed.
    
    Yes I am making some assumptions like the filter is actually working resulting in no bluetooth messages written to log file, the filter only affects written logs, and I know nothing about the rules for when messages are flushed from memory to file (time based, size based, how the computer is feeling today, orientation of the planets, number of times the dead owl has been waved, etc…). It is just an observation based on personal experience.
    
    WRT Frequency window question, I may have found a possible issue that would explain some of the wonky frequency numbers I’m seeing. My Ulbow version is Version 1.9 (85).
    
    To reproduce:
    
    1. Quit and open Ulbow to get a fresh version.
    2. Set predicate to subsystem == ‘com.apple.bluetooth’
    3. Set period to -20 seconds
    4. In view menu, I have only “Get Info Messages” and “Show Log Entries” selected
    5. Click the now button to set current time
    6. Select Get Log
    
    In my case, I get 732 log messages in current extract. If I view the Frequency window, it shows 732 com.apple.bluetooth. Everything as expected. So far so good…
    
    Now do the following:
    
    7. Close the Frequency window.
    8. Press the Get Log button. This should recollect the log messages for same period with same settings.
    
    In my case, the log window displays that there are 732 log messages in current extract, as expected. Now open the Frequency window again. In my case it now displays 1464 com.apple.bluetooth. Exactly twice the number from before. Not as expected. If I rinse and repeat, I get three times the original number: 2196 com.apple.bluetooth.
    
    If I change the capture window time to 30 minutes ago, leaving everything else the same, I get 0 log messages in the current extract as expected as I’m not persisting bluetooth messages. When I open Frequency window now, the displayed count is unchanged…it still displays 2196 com.apple.bluetooth.
    
    So it seems like the Frequency window counts are not reset after each press of the Get log button, resulting in constantly increasing frequency counts every time you press the Get log button. I’m assuming that you’d want the Frequency counts to reset…unless you have a different use case in mind…
    
    Anyway, I hope this is helpful…at least it seems to explain why the Frequency count is non zero when the displayed messages count is zero. It also shows that the predicate affects the Frequency counts, which was going to be one of my next questions…
    
    Looking forward to your article on Monday 🙂
    
    LikeLiked by 1 person
    - 25
      
      hoakley on February 12, 2023 at 8:04 pm
      
      Thank you, Charlie, for finding and explaining that bug. Coming in the next couple of hours, and formally released tomorrow, is version 1.10 which addresses that, and adds another page to the Help book.
      You’re perfectly correct that what was happening was that some of the data from the parsed log entries wasn’t being cleared when you got a fresh log extract. Hopefully that has been stopped in the new version.
      Howard.
      
      LikeLike
    - 26
      
      Don on February 13, 2023 at 12:02 pm
      
      Howard – I read your reply, so yesterday I download 1.10 Ulbow from your website – all good. This morning, I ran Ulbow, and I got the message, “An update to this app to version 1.9 is available. You are currently running Ulbow version 1.10.” Wha…? I assume the message is just confused so I ignored it. There hasn’t been an update to 1.10 or a new version of 1.10 has there? Here is a Dropbox link to the screen shot if you want to see it:
      
      LikeLiked by 1 person
    - 27
      
      hoakley on February 13, 2023 at 12:24 pm
      
      Thank you.
      You have something caching between your Mac and my GitHub database, which is using stale data. I updated the database on GitHub well over 12 hours ago, and it shows now as version 1.10 there.
      Howard.
      
      LikeLike
    - 28
      
      Don on February 13, 2023 at 12:40 pm
      
      Great!
      
      LikeLiked by 1 person
    - 29
      
      Don on February 16, 2023 at 12:36 am
      
      Hi Harold, any insight, or an idea for a future article, on managing log entries from [nil] and *kernel*? Now that we have our subsystems under control, for about a day now I have seen frequencies like in this last hour – [nil] is 232,000, *kernel* is 71,000. That seems like a lot! My oldest log entry has gone from 4 days, 2 days ago, to 2.5 days now…largely due to those two items..
      
      LikeLiked by 1 person
    - 30
      
      hoakley on February 16, 2023 at 6:22 am
      
      Entries counted as [nil] are all those for which no subsystem is given, while those for [kernel] are entries for which the processID is 0, that for the kernel. The latter can be double-counted, if they also have a subsystem given.
      There’s no way to stop the latter in the log, and I suggest you shouldn’t want to. For those without subsystems but giving a process, you could identify the process(es) and exclude them from storage in a similar way, but adding the property list to the Processes folder in log preferences.
      But I think you really need to look at samples of what’s going on in the log – that sounds like a problem that you need to address rather than mute log entries.
      Howard.
      
      LikeLike
    - 31
      
      Don on February 16, 2023 at 11:58 am
      
      Good advice, thank you Howard. I’ll do that.
      
      LikeLiked by 1 person
32

charlie on February 13, 2023 at 12:36 am

🙂 happy to be helpful. Will keep an eye out for update. Thanks Howard.

LikeLiked by 1 person
33

Don on February 16, 2023 at 12:37 am

Ugh – Howard not Harold, misbehaving fingers…

LikeLiked by 1 person
34

hmijail on March 2, 2023 at 3:03 am

Ulbow was very useful to analyze the logs of a music library that caused Music.app, AMPLibraryAgent and others to hog the CPU. Thank you!

However after the initial exploration I soon found myself copy/pasting to other viewers the bulk of the text for easier searches… and then directly extracting the log in the CLI, bypassing Ulbow entirely, even if that meant losing the conveniences of the formatting and the chart.

So I have a couple of suggestions:
* The scroll bars would be more comfortable if they honored the “Show scroll bars” system setting.
* The Find function would be much more useful if it highlighted all the results, like the Preview or Notes apps do.
* Ulbow tended to hang when changing the query parameters after a successful query.
* It’d be great to have a way to find a string in any predicate field; predicates themselves don’t seem to provide that, and maybe it’s too much to ask from Ulbow though.

Thank you again for Ulbow!

LikeLiked by 1 person
- 35
  
  hoakley on March 2, 2023 at 6:33 am
  
  Thank you.
  – scroll bar system settings are fully respected here. Which version of macOS, and what 3rd party software are you using that could interfere with this? (Ulbow is a straight AppKit app, so relies on macOS for such features.)
  – I will look at making that an option
  – I suspect it isn’t hanging, but grappling with very large log extracts. A little patience can be helpful if you’re working with more than 10,000 entries. This is one reason that limiting the entries shown can be so helpful, but even so hundreds of thousands of entries are very demanding. The secret to successful browsing is knowing how to minimise the size of extracts, not trying to search through tens of thousands of entries, which is desperately inefficient.
  – I’m not sure I quite understand what you’re asking. Predicates for the log show command invariably work on specific fields. That’s a design feature of the Unified log, and extremely valuable.
  I’m amazed that you used copy/paste with text. Why not save the extract in RTF and retain its formatting? I don’t think that I’ve ever intentionally saved log extracts in text format, as they’re so useless.
  Howard.
  
  LikeLike
  - 36
    
    hmijail on March 2, 2023 at 7:30 am
    
    I’m on macOS 13.2.1, not using anything that I can think of that could affect the scroll bars. Though I ran Ulbow from the CLI through sudo, so maybe its GUI is getting its scroll bar settings from *that* user?
    
    Re: hanging: this happened while working with large logs, typically over 100K lines; but it was curious that the hangs seemed to happen when actually going from a big existing one to a smaller extract – so it felt like the old log wasn’t being cleaned up before the new one appeared. Just a feeling without a repro case, though. I’d say I waited well over an hour in multiple cases, didn’t help.
    
    Re: minimise the size of extracts: in my case I was getting thousands of entries per second, for hours sometimes, with values that I needed to track across entries. And that’s where Ulbow’s chart helped, to just get an idea of what was going on when.
    This is also the case where highlighting a search term helps to quickly see where a pattern breaks or reappears.
    
    Re: searching in any predicate field: I mean something like “(subsystem OR eventMessage OR senderimage) contains (‘music’ OR ‘library’ OR ‘amp’)”. Of course I can unfold that into an unwieldy string of 9 predicates, but … would be nice to avoid that.
    (I just realized that one can use regex filters – that would help a bit)
    
    Re: plain text vs RTF: I can count on BBEdit to work with multi-GB text files, while still searching and highlighting with ease. I don’t know of an editor that can do the same with RTF. Also, colors are great as training wheels, but once you’re familiar with the structure of what you’re doing, in my experience highlighting is much more valuable – which would probably be compromised by the formatting.
    Plus of course plain text allows me to keep analyzing the log easily with my own scripts, without the formatting noise.
    
    LikeLiked by 1 person
    - 37
      
      hoakley on March 2, 2023 at 9:51 am
      
      Thank you.
      I’m sorry, but Ulbow isn’t the tool you’re looking for. Its whole purpose is to save you having to wade through vast amounts of unstructured log entries, and to refine what you’re seeing down to a few thousand at the most, so that you can actually browse them. That’s the sole purpose of all its tools, as I found such searches were a pointless and frustrating waste of time and effort.
      Howard.
      
      LikeLike
38

hmijail on March 2, 2023 at 7:36 am

(to be clear: I only used Ulbow for “smaller” log extracts of up to minutes, where I reached close to the recommended 500K max entries. Bigger sessions had to be done with `log show` + BBedit instead)

LikeLiked by 1 person

·Comments are closed.

Assessment

Bluetooth woes

Ulbow and huge logs

Update

Share this:

Related