ES|QL

Group errors by pattern with CATEGORIZE

CATEGORIZE automatically clusters similar messages into patterns — thousands of error lines collapse into a handful of families, with no regex to write.

Prerequisites

Elasticsearch 8.18+ (preview technique)

SQL

FROM "logs-app-*"
| WHERE log.level == "error"
  AND @timestamp >= NOW() - 24 hours
| STATS
    occurrences = COUNT(*),
    services = COUNT_DISTINCT(service.name),
    derniere = MAX(@timestamp)
  BY motif = CATEGORIZE(message)
| SORT occurrences DESC
| LIMIT 10

Result

motif                                    | occurrences | services | derniere
-----------------------------------------+-------------+----------+-------------------------
.*?Connection.+?refused.+?port.*?        |      12 480 |        6 | 2026-06-10T15:59:41.002Z
.*?Timeout.+?waiting.+?response.*?       |       8 102 |        4 | 2026-06-10T15:58:07.566Z
.*?OutOfMemoryError.+?heap.*?            |       1 940 |        2 | 2026-06-10T14:21:33.910Z
.*?Failed.+?authenticate.+?user.*?       |       1 277 |        3 | 2026-06-10T15:55:12.044Z
.*?Disk.+?quota.+?exceeded.*?            |         310 |        1 | 2026-06-10T11:02:58.371Z

CATEGORIZEPattern miningLogsTriage

Related snippets

← Back to the Data Lab