There may be many more entries in the macOS Unified log than in traditional log files, but their design is so elegant that it empowers your browsing in a way simply not possible with ordinary logs. One feature that you might otherwise ignore is the messageType field.
Each log message, other than Signposts and Activities, has a messageType to distinguish its significance. These contain any of the following:
default(0)release(0) (rarely used, and may be obsolete)info(1)debug(2)error(16)fault(17)
although when displayed in log entries, they’re normally given an initial capital, such as Info or Error.
Although normally ordered by their numerical equivalents as shown, elsewhere their hierarchy is different:
- Fault is the most significant, and included in log extracts by default
- Error, also included in log extracts by default
- Default, included in log extracts by default
- Info, only included in log extracts when explicitly requested, and readily excluded from being written to disk
- Debug, the least significant, only included in log extracts when explicitly requested, and not normally written to disk.
Ulbow (and the log show command) has options as to which messageTypes will be obtained in a log extract, that have substantial effects on the numbers and frequencies of log entries shown. These are controlled in Ulbow’s View menu. To see how this works, try this demonstration.
Demonstration
Open Ulbow, and in its new window set a Period of 10-20 seconds, and a time of a few minutes ago. Open the View menu, and untick all the items there apart from Show log entries. Then click on the Get log button.
With these settings, Ulbow only gets log entries of Default, Error and Fault, no Signposts at all, and will show them all apart from Activities.
Using the New command in the File menu, open a new window. Set that up exactly the same as the first. To make this easier, you can copy and paste the date-time between the windows. To do that, select one of the fields in the date-time of the first window and press Command-C. Select one of the fields in the date-time of the second window and press Command-V. Ensure the Period and other settings of the two windows are identical.
Then click on the second window to activate it, and set the View menu so that Get Info messages, Get Signposts and Show log entries are all ticked for that window. Then click on the Get log button.
The first window now contains only log entries, not Signposts, and no Info messages are shown at all, giving a total number of log entries here of 20,405, with almost all of them shown (only Activities will be hidden). Open a Frequency window using the command in the Window menu, and com.apple.bluetooth has only 700 entries.
The second window now contains only log entries, not Signposts, but now includes Info messages as well, although Signposts and Activities are hidden. Total log entries are here 55,855, but lower for the number displayed (to the right) because Signposts and Activities have been obtained but are hidden. This excerpt’s Frequency window will be very different to that for the first, for example com.apple.bluetooth here has 4,476 entries.
Depending on what you’re looking for, excluding Info messages and Signposts will greatly reduce the number of log entries in the log excerpt, while retaining all the more significant entries.
Log preference settings
When you add a preference setting property list to control which entries are written to disk, you specify which messageTypes will be saved. A property list setting the Enable key to default, and Persist to off, should only store messages with a messageType of Default and above, and not those of Info or Debug. There doesn’t appear to be a way to prevent Default, Error or Fault entries from being saved.
Saving Ulbow settings as defaults
Changes you make to Ulbow’s View menu settings, and elsewhere, don’t persist unless you save them using the Save as defaults command in the Ulbow menu. This ensures that you can open new windows confident that they have your preferred settings from the start, rather than just the last settings used.
This helps Ulbow to do what you have just experienced in the demonstration, to retain different settings in windows open concurrently.
messageType in predicates
The most common use of predicates, with subsystems, is relatively complex. Using messageTypes can be quick, simple, and very powerful.
There are two ways of specifying a messageType in a predicate, either by name or number:
messageType == info
messageType == 1
both result in only Info messages being included in that log excerpt. Don’t try passing the messageType as a string inside “” quotation marks, and ensure that it’s given entirely in lower case, without an initial capital.
Three valuable predicates you can type straight into the Predicate box are:
messageType > 2to return all Error and Fault log entries,messageType == 0ormessageType == defaultto show only Default entries when Info entries have also been obtained,messageType == 16ormessageType == errorto show only Error entries.
When the log extract is reasonably small, you can obtain those almost instantly by typing that predicate into the Predicate box and pressing Return, which is the key equivalent for the Get log button.
Try those out on a sample log extract totalling up to 5,000 entries, for instance. Such is the power of the macOS log.
Ulbow update
Thanks to Charlie, who not only found a bug in Ulbow 1.9 but identified what was wrong, I have a new version of Ulbow to fix that. What was happening was that, when you clicked the Get log button, Ulbow wasn’t clearing its previous parsed log data fully, and they were being carried over into the next log analysis, in particular its frequency data. This new version also adds a further page to its Help book, giving details about the use of special field like messageType in predicates, bringing the total number of pages to 39.
Ulbow version 1.10 is now available from here: ulbow110
from Downloads above, from its Product Page, and via its auto-update mechanism.
The Eclectic Light Company 