> ## Documentation Index
> Fetch the complete documentation index at: https://docs.honeycomb.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Investigate Log Data in Honeycomb

> Analyze log data in Honeycomb to monitor system health, query structured and unstructured logs with high cardinality, and troubleshoot problems faster.

export const CalloutExample = ({children}) => {
  return <Callout icon="clipboard-check" color="#6B7280">
      {children}
    </Callout>;
};

Once your log data is in Honeycomb, you can use it to analyze and explore your systems in novel ways.

## Before You Begin

Before beginning this guide, you should have:

* [sent your log data to Honeycomb](/send-data/logs/)
* [enhanced your log data, so you can get the most out of Honeycomb](/send-data/standardize/add-context/)

## Explore Your Data

In Honeycomb, you can slice and dice your data from your [Home view](#slice-and-dice-your-data), or create [Boards](#create-a-board) to save relevant queries and visualizations.
Either way, you will want to leverage Honeycomb's features to create [Triggers](#create-triggers) and [explore outliers](#investigate-unusual-behavior) using BubbleUp and Correlations.

### Slice and Dice Your Data

Once you have log data in Honeycomb, navigate to the [Home view](/observe/honeycomb-home/) and select your log dataset to begin exploring your data.

The **Logs** view contains [visualizations specially designed for exploring log data](/observe/honeycomb-home/#logs-visualizations).

<Frame>
  <img src="https://mintcdn.com/honeycomb/BJ6WALtaZOXIS47Z/_assets/images/honeycomb-home/hny-home-log-visualizations.png?fit=max&auto=format&n=BJ6WALtaZOXIS47Z&q=85&s=fccb28802ce7b2ef3887fa814fc12892" alt="The visualizations displayed in Honeycomb's Home area on the Logs view. They include total logs, total errors, total warnings, logs by severity, log volume, total events by severity, top messages, total errors by severity, and top errors. Chart and table visualizations have accompanying icons that let you toggle between chart and table view. The top messages table has an accompanying search bar that lets you filter by words in the message. Above all of the visualizations, there are two dropdowns that allow you to group or filter by fields. At the very top of the page, there are two dropdowns that allow you to select the dataset and the time range." width="2562" height="1400" data-path="_assets/images/honeycomb-home/hny-home-log-visualizations.png" />
</Frame>

In addition, when you [view events](/investigate/analyze/explore-events/#view-events) in the **Explore Data** view, you can [change your data display to present data as log lines](/investigate/analyze/explore-events/#change-data-display).

<Frame>
  <img src="https://mintcdn.com/honeycomb/izYM_pgEskzvL08S/_assets/images/query-results/explore-data-log-lines.png?fit=max&auto=format&n=izYM_pgEskzvL08S&q=85&s=08cd6bc86e6711caca5dfd7840ec0797" alt="Query Builder with Explore Data tab selected and log lines display" width="1060" height="920" data-path="_assets/images/query-results/explore-data-log-lines.png" />
</Frame>

To learn more about the log lines display, visit [Explore Events: Events View](/investigate/analyze/explore-events/#events-view).

### Create a Board

For quick reference over time, you should create a [Board](/observe/boards/) that you can customize to show log-specific items of interest.

### Create Triggers

Once you have created a Board, you will likely want to configure some Triggers, so you can receive notifications when your data in Honeycomb crosses defined thresholds.

To create a [Trigger](/notify/triggers/):

1. On your Board, locate a Query from which you want to create a Trigger.
2. Select the query to open it in the Query Builder display.
3. Select the three-dot overflow menu, located to the left of **Run Query**, and select **Make Trigger**.
4. Configure the trigger by defining trigger details, an alert threshold, and your notification preferences.

### Investigate Unusual Behavior

Simplify debugging by using the [core analysis loop](/get-started/honeycomb/core-analysis-loop)--Honeycomb BubbleUp, Correlations, and rich queryable data--to dig in to application behavior.

## Identify Commonalities in Structured Logs

Examine what a subset of logs might have in common using [BubbleUp](/investigate/analyze/identify-outliers/).

<CalloutExample>
  **Scenario**:
  You have structured MySQL slow query logs and want to discover specific queries that are running slower than expected.

  **Solution:**
  Run a query that visualizes a heatmap on `query_time`, then use BubbleUp to identify similarities between the slow queries.

  1. Navigate to the Query Builder.

  2. Build the following query:

     | VISUALIZE             |
     | --------------------- |
     | `HEATMAP(query_time)` |

  3. Select **Run Query**.

  4. In the **Query Results** section, locate the heatmap, and draw a box around logs that have a longer duration than you prefer.

  5. From the context menu, select **BubbleUp Outliers**.

       <Frame>
         <img src="https://mintcdn.com/honeycomb/ZEhop91RpDyv3q2S/_assets/images/aws-data/rds-logs-heatmap.png?fit=max&auto=format&n=ZEhop91RpDyv3q2S&q=85&s=3417b741bf9cc21814f1fa21b2da29a5" alt="A screenshot depicting a heatmap on the query_time field with a BubbleUp box drawn around logs with a long duration." width="1894" height="1496" data-path="_assets/images/aws-data/rds-logs-heatmap.png" />
       </Frame>

  6. Locate the **BubbleUp** view, and use the charts to examine the attributes that that logs inside your selection have in common.

       <Frame>
         <img src="https://mintcdn.com/honeycomb/ZEhop91RpDyv3q2S/_assets/images/aws-data/rds-bubbleup-dimensions.png?fit=max&auto=format&n=ZEhop91RpDyv3q2S&q=85&s=709bd28fd2d458a23a7a5ae337b2338c" alt="A screenshot depicting the dimensions BubbleUp highlights on the selection." width="1972" height="1086" data-path="_assets/images/aws-data/rds-bubbleup-dimensions.png" />
       </Frame>

  Notice the `statement` chart; each of the problematic logs contains the same `DELETE` statement.
  You can now use the `normalized_query` chart to see the exact shape of the query that you need to optimize.

  If your team has [Honeycomb Intelligence](/security-compliance/honeycomb-intelligence/) enabled, [BubbleUp Insights](/investigate/analyze/identify-outliers/#bubbleup-insights) appears below the heatmap for your seelction and highlights which fields are most worth investigating first.
</CalloutExample>

## Parse Unstructured Logs

Because of the [shape of unstructured log data](/send-data/logs/) in Honeycomb, unstructured logs can be hard to query.
To improve the experience and make unstructured logs more useful, use [calculated fields](/send-data/standardize/transform-data/) to parse meaningful information out of the `message` attribute.

1. [Create a calculated field](/send-data/standardize/transform-data/#creating-calculated-fields).

2. Leverage the [`REG_VALUE` operation](/reference/calculated-field-expression/string/#reg_value) to parse log data using regular expressions.