Skip to content

Analyze log patterns with templates

Use templates to group high-volume logs into recurring patterns so you can quickly identify new, rare, and abnormal errors, reduce noise during investigations, and operationalize error discovery with alerts and automation.

Templates are the current name for what was previously called Loggregation.

Use templates to:

  • Identify newly introduced and rare errors
  • Reduce log noise without losing access to raw data
  • Investigate error patterns across applications, subsystems, and infrastructure
  • Automate detection of new error patterns after deployments

How templates work

What a template represents

A template represents a recurring log pattern. Coralogix evaluates incoming logs and groups messages that share the same constant structure into a single template. Each template acts as a compact summary of many similar log entries, allowing you to reason about behavior at the pattern level instead of inspecting individual lines.

Templates are scoped by application, subsystem, and severity. This scoping keeps patterns meaningful by grouping logs only within the same operational context.

How variables shape a pattern

Each log message is made up of constant text and variable values. The constant text defines the shape of the message, while variable values change between occurrences. Coralogix uses the constant parts to identify patterns and replaces the changing values with placeholders.

For example, the following log messages:

User 12345 logged in from 192.168.1.1
User 67890 logged in from 10.0.0.1

Are grouped into the pattern:

User <*> logged in from <*>

How templates reflect the full log set

Templates represent the full set of logs in the time range you query, making them useful for detecting rare and newly introduced errors. When you investigate patterns, you can assume they represent the complete picture of the logs you queried.

Templates tab showing log pattern groups Templates tab showing log pattern groups

Tabs in Explore

When you run a logs query, the results area exposes three tabs:

  • Overview: aggregated tiles, including the Templates across time chart for a quick view of pattern frequency over the query window.
  • Logs: individual log entries in sequence.
  • Templates: recurring patterns and their frequency.

Switch between tabs without rerunning the query. The view updates as you change the query, filters, or time range.

Note

DataPrime queries do not support templates. Switching to DataPrime from the Templates tab forces a return to the Logs view.

Templates grid columns

The templates grid exposes the following columns:
ColumnDescription
CountNumber of log entries matching the pattern. The cell also shows the ratio of total logs as a secondary value.
SeverityThe severity associated with the template branch.
ApplicationThe application associated with the template branch.
SubsystemThe subsystem associated with the template branch.
First SeenTimestamp of when the pattern first appeared.
TemplateThe log template with variable placeholders.

Sort the table by any column to prioritize which patterns to investigate.

Find new and rare errors

Surface rare errors using low-occurrence sorting

Sort the templates grid by Count ascending to uncover rare patterns. These often indicate edge cases, regressions, or early signs of larger issues that would be easy to miss in raw logs.

Identify newly introduced errors using First Seen

Sort by First Seen to find patterns that appeared recently. This is especially useful after deployments or configuration changes — use First Seen to confirm whether an error pattern existed before the change window or was introduced afterward.

Uncover logs not yet templated

Not all logs immediately belong to a template. To find new or unusual messages that have not yet formed a stable pattern, select the Logs tab and run:

NOT _exists_: coralogix.templateId

This helps you catch newly introduced errors before they become frequent enough to form a template.

Investigate a specific pattern

Select any pattern row to open the Template details info panel.

The panel header shows the Template ID (the stable identifier for the pattern — use it as a filter in other queries), a Severity badge, and Application / Subsystem tag chips.

Template info panel

Below the header, the Message section displays the template message with variable placeholders rendered as masking-tag chips. The section indicates how many masking tags the template contains.

Beneath the Message section, the panel has two tabs:

  • Template logs (default): shows a Frequency over time chart of how often the pattern occurs across the query window, plus a table of matching log entries with a result count.
  • Log example: shows a single sample log entry that matches the pattern, in Table, JSON, or Raw view. In Table view, use the Search table field to filter the visible fields.

From the panel header you can:

  • Select Apply to main to append coralogix.templateId:"<id>" to the main query and filter the Logs view to only entries matching this template.
  • Select Create alert to monitor the pattern automatically. Configure the alert conditions and notification settings in the dialog.

Combine template ID with Lucene filters

Narrow your investigation by combining a template ID with additional Lucene filters, such as server, environment, or metadata fields. This helps you understand how a pattern behaves across different parts of your system.

Reduce noise during active investigations

Unclassified templates can obscure more important signals. Select Unclassified in the templates grid toolbar to hide unclassified logs from the current view. The button is a toggle — select it again to show them. Hiding a template from view does not delete data — all underlying log entries remain fully searchable.

To remove other templates from view, filter them out with Lucene.

Create alerts on patterns

To monitor a pattern automatically:

  1. Open the Template details info panel by selecting a pattern row.
  2. Select Create alert in the panel header.
  3. Configure the alert conditions and notification settings.

You can also configure alerts that trigger when new templates appear, enabling proactive detection of new error patterns without manually inspecting logs. This is especially useful after deployments.

Automate error detection workflows

The Insights API lets you query and analyze log patterns programmatically. Use it to fetch top errors, most recent errors, and other actionable data.

A common automation pattern is to run a post-deployment check that looks for newly introduced templates or errors after a short delay, then send notifications to external systems such as Slack for fast feedback.

Limits

LimitValue
Template branches1,000 maximum (defined by application, subsystem, and severity)
Logs per branch10,000 logs per template branch
Template retentionUp to 90 days after the last matching log

New templates are created only after a pattern reaches a defined occurrence threshold, preventing unstable messages from forming misleading templates too early.

Unclassified logs

Logs may remain unclassified when message fields have very high cardinality, when messages are excessively long, or when their structure prevents reliable pattern extraction. Unclassified logs are not dropped — they remain fully visible and searchable.

Filter for unclassified logs with NOT _exists_: coralogix.templateId. Use branch-level details to identify root causes and decide whether parsing, normalization, or logging changes are needed.