DevOps Log Analysis: JSON Logs to Excel for Incident Investigation
Production is down. You're staring at thousands of JSON log entries trying to find what broke. The logging dashboard shows events, but you need to slice the data differently—filter by user, group by error type, see patterns over time.
This guide covers how to get JSON logs into Excel for the kind of ad-hoc analysis that dashboards can't do.
When Dashboard Isn't Enough
Monitoring tools are great for alerts and real-time views. But during incident investigation, you often need:
- Custom groupings the dashboard doesn't support
- Correlation across fields (user + error + endpoint)
- Share with non-technical stakeholders who don't have dashboard access
- Permanent record for post-mortem documentation
That's when exporting to Excel makes sense.
Common Log Formats
CloudWatch Logs (AWS)
{
"timestamp": "2024-01-15T14:30:00Z",
"message": "Error processing request",
"requestId": "abc-123",
"level": "ERROR",
"data": {
"userId": "user-456",
"endpoint": "/api/orders",
"error": "Database timeout"
}
}
Datadog Log Format
{
"date": "2024-01-15T14:30:00.000Z",
"host": "prod-server-01",
"service": "api-gateway",
"status": "error",
"message": "Connection refused",
"attributes": {
"http.method": "POST",
"http.url": "/api/checkout",
"user.id": "12345"
}
}
Application JSON Logs
{
"level": "error",
"time": 1705325400000,
"msg": "Payment failed",
"err": {
"code": "CARD_DECLINED",
"message": "Insufficient funds"
},
"context": {
"orderId": "ORD-789",
"amount": 99.99
}
}
Structured Log Libraries (Winston, Bunyan, Pino)
{"level":30,"time":1705325400000,"pid":1234,"hostname":"web-01","msg":"Request completed","req":{"method":"GET","url":"/health"},"res":{"statusCode":200},"responseTime":45}
The Quick Export Workflow
Step 1: Export from Your Platform
CloudWatch:
- CloudWatch → Log groups → Select group
- Filter by time range and search pattern
- Actions → Download search results (JSON)
Datadog:
- Logs → Filter your query
- Export → Download as JSON
Splunk:
- Run your search
- Export → JSON
ELK/OpenSearch:
- Discover → Set time range and query
- Share → Generate CSV (or use API for JSON)
Local log files:
# Filter and combine log files
grep "ERROR" *.log > errors.json
Step 2: Convert to Excel
- Go to JsonExport
- Upload or paste your log export
- Preview flattened columns
- Download as Excel
What happens:
- Nested fields like
data.userIdbecome separate columns - Timestamps stay intact for filtering
- Error objects expand to show all details
Step 3: Analyze in Excel
Now you can:
- Filter by error type, user, endpoint
- Sort by timestamp to see sequence
- Pivot to count errors by category
- Chart error frequency over time
Real Incident Investigation Examples
Example 1: Finding the Root Cause
Scenario: Checkout errors spiked at 2 PM.
Exported logs: 500 error entries from 1:55 PM to 2:15 PM.
Analysis in Excel:
- Sort by timestamp (earliest first)
- First error:
Database connection pool exhausted - Subsequent errors:
Timeout waiting for connection
Root cause: Connection leak in new deployment at 1:53 PM caused pool exhaustion.
Without Excel: Scrolling through dashboard logs, easy to miss the first error in the flood of timeouts.
Example 2: User Impact Assessment
Scenario: Bug affected "some users" - need to know how many.
Exported logs: All errors for the affected endpoint.
Analysis in Excel:
- Pivot table: Rows =
userId, Values = Count - Result: 47 unique users affected
- Filter to get user list for customer support
Output: Email to support with affected user IDs.
Example 3: Error Pattern Analysis
Scenario: Intermittent errors, no obvious cause.
Exported logs: 24 hours of errors.
Analysis in Excel:
- Add hour column:
=HOUR([@timestamp]) - Pivot: Rows = Hour, Values = Count
- Pattern revealed: Errors spike at :00 and :30 (cron jobs)
Root cause: Scheduled jobs overloading database.
Handling Large Log Volumes
Strategy 1: Filter Before Export
Reduce volume at the source:
# CloudWatch Insights
fields @timestamp, @message
| filter @message like /ERROR/
| limit 1000
Strategy 2: Time Windows
Export in chunks:
- 2:00 PM - 2:15 PM (around incident start)
- Focus on actionable window
Strategy 3: Sample for Patterns
If you have 100K errors, a 1% sample often shows the same patterns:
import pandas as pd
df = pd.read_json('logs.json')
sample = df.sample(frac=0.01)
sample.to_excel('sample.xlsx')
Strategy 4: Aggregate in Query
Some platforms support aggregation before export:
# Count by error type
fields errorType
| stats count() by errorType
Export the summary, investigate specific types as needed.
Working with JSON Lines Format
Many log systems output JSON Lines (one JSON object per line, no array wrapper):
{"timestamp":"2024-01-15T14:30:00Z","level":"error","msg":"Failed"}
{"timestamp":"2024-01-15T14:30:01Z","level":"error","msg":"Timeout"}
{"timestamp":"2024-01-15T14:30:02Z","level":"info","msg":"Recovered"}
To convert:
Option 1: Add array brackets
echo "[" > wrapped.json
cat logs.jsonl | sed 's/$/,/' >> wrapped.json
echo "{}]" >> wrapped.json
Option 2: Use jq
jq -s '.' logs.jsonl > logs.json
Option 3: JsonExport handles JSON Lines automatically—just paste the content.
Post-Mortem Documentation
After resolving an incident, Excel exports become documentation:
Incident Report Template
| Section | Content |
|---|---|
| Timeline | Filter logs by timestamp, create sequence of events |
| Impact | Pivot by user count, error count |
| Root Cause | First error message and context |
| Evidence | Attach Excel file with analysis |
Creating the Timeline
From your Excel export:
- Sort by timestamp
- Filter to key events (first error, actions taken, resolution)
- Add "Event Type" column (Error Start, Fix Deployed, Resolved)
- Copy to post-mortem document
Integration with Monitoring Tools
Export Automation
If you regularly need log exports:
AWS Lambda + S3:
- Trigger on CloudWatch alarm
- Export recent logs to S3
- Convert and email report
Datadog Scheduled Export:
- Use Datadog API to pull logs
- Convert with Python script
- Push to Slack or email
Grafana Loki:
- LogCLI for command-line export
- Script conversion to Excel
When NOT to Export
Stay in your monitoring tool when:
- Real-time alerting is the goal
- You need live dashboards
- Retention policies handle cleanup
- Team all has dashboard access
Export when:
- Investigation needs custom analysis
- Sharing with non-technical people
- Post-mortem documentation
- Auditing or compliance records
Quick Reference
Log Export Commands
CloudWatch CLI:
aws logs filter-log-events \
--log-group-name /app/prod \
--start-time 1705320000000 \
--end-time 1705330000000 \
--filter-pattern "ERROR" \
> logs.json
Datadog API:
curl -X POST "https://api.datadoghq.com/api/v2/logs/events/search" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-d '{"filter":{"query":"status:error","from":"now-1h","to":"now"}}' \
> logs.json
Useful Excel Formulas for Logs
// Extract hour from ISO timestamp
=HOUR(DATEVALUE(MID(A2,1,10))+TIMEVALUE(MID(A2,12,8)))
// Count errors by type (array formula)
=COUNTIF(error_column, "*timeout*")
// Flag high-severity
=IF(OR(B2="error", B2="fatal"), "HIGH", "normal")
Common Pivot Table Setups
Error frequency by hour:
- Rows: Hour (calculated)
- Values: Count of records
Errors by endpoint:
- Rows: endpoint field
- Values: Count
- Sort: Descending
User impact:
- Rows: userId
- Values: Count
- Filter: error level only
Conclusion
Log analysis doesn't require expensive tools. For incident investigation:
- Export from your monitoring platform
- Convert JSON to Excel (30 seconds with JsonExport)
- Analyze with filters, pivots, and formulas
- Document for post-mortems and auditing
The goal is faster incident resolution—not becoming an Excel expert. Get the data, find the pattern, fix the problem.
Convert logs now — Paste JSON logs, get Excel for analysis.
Related Guides: