Login
A primer on predicates for LogUI
All good log browsers provide tools to narrow down the log entries they display. Without those, it would be easy to waste all day wandering through tens of thousands of entries. One common tool provided by macOS, directly and in the log command tool, is filtering using predicates. Although LogUI provides easy access to simple predicates, to get the best from them, it’s worth digging a little deeper, as I do here.
Instant predicates
LogUI’s instant predicates filter log entries according to any of four basic predicate types:
- subsystem, such as
com.apple.sharing, the field shown in yellow in log extracts; - eventMessage, the text message listed in white/black at the end of each entry;
- processImagePath, such as
mediaanalysisd, shown in blue, the name of the process making that entry; - senderImagePath, such as
libxpc.dylib, shown in red, the name of the process sending that entry.
These are quick to enter in the text box to the right of the popup menu in the window’s toolbar, but in many circumstances can prove too broad, and need narrowing down further. In other situations, you want to browse entries from two subsystems, or using a combination of criteria. The best way to do that is to write a short predicate. For single use, you can do that in the one-off predicate editor using the Set button.
When you want to reuse that, you can add it to the predicate popup menu using Settings Predicate (currently a bit kludgy).
Predicates
macOS can use predicates in other situations, most commonly for Spotlight search. If you’re interested in those, see Apple’s Predicate Programming Guide. Here I’ll describe predicates as they’re more commonly used to filter log entries, as they’re usually much simpler.
Each simple predicate consist of three parts:
- the name of one of the fields in a log entry, such as subsystem or eventMessage. This sets where the filter looks in each entry;
- an operator, which might be
==for ‘equals’ exactly, or for text is commonlyCONTAINS[c]for case-insensitive contains; - text or a numeric value to look for, such as “error” or 513. Only those entries equalling or containing (or whatever the operator means) this in the specified field will then be returned from the log and displayed.
Here are some basic examples.
eventMessage CONTAINS[c] "error"
entries will only be those with the text error in their message field.
subsystem == "com.apple.duetactivityscheduler"
entries will all have that text, ignoring case, but only that text, as the name of their subsystem.
subsystem CONTAINS[c] "com.apple.xpc"
entries will have any subsystem containing that text, which also includes com.apple.xpc.activity.
Fields
Although you can use any of the fields shown in LogUI (and some that aren’t), the most commonly used are, in order as they are shown in LogUI’s window:
- eventType (red) – matches the type of event, such as logEvent (1024), traceEvent (768), activityCreateEvent (513), or activityTransitionEvent (514). Can be given as characters (case-sensitive) without quotation marks, or using the digits given in parentheses. Use these only with the operators == or !=, as they are treated as numbers rather than text.
- category (green) – this matches the category, and varies according to subsystem. This is given as text in quotation marks, and is normally lower-case.
- messageType (white/black) – matches the type of message for logEvent and traceEvent, and includes default (0), release (0), info (1), debug (2), error (16), and fault (17). Can be given as characters (case-sensitive) without quotation marks, or digits as shown in parentheses. Use these only with the operators == or !=, as they are treated as numbers rather than text.
- senderImagePath (red) – this matches the text pattern in the name of the sender, which might be the name of a library, extension, or executable.
- processImagePath (blue) – this matches the text pattern in the name of the process that originated the event.
- subsystem (yellow) – this matches the subsystem specifier, e.g. com.apple.TimeMachine, given as text in quotation marks. You may find it best to use CONTAINS[c] rather than ==, to allow for differences in case and extended subsystem specifiers.
- eventMessage (white/black) – for this, you specify a text pattern, or text, within the message, given as text in quotation marks.
Operators
The following comparisons and other operators are available:
- == (two equals signs) for equality
- != or <> for inequality
- >= or => for greater than or equal to
- <= or =< for less than or equal to
- > for greater than
- < for less than
- AND or && for logical and
- OR or || for logical or
- NOT or ! for logical not
- BEGINSWITH, CONTAINS, ENDSWITH, LIKE, MATCHES for string comparisons, using regex expressions when desired; strings can be compared with case insensitivity and diacritic insensitivity by appending [cd] to the operator, e.g. CONTAINS[c] means case-insensitive comparison
- FALSE, TRUE, NULL have their expected literal meanings.
There are others as well, but you’ll seldom use them to filter log entries.
Building complex predicates
To see the scheduling and dispatch of background activities by DAS-CTS, you need to look at log extracts showing both their entries. Use the predicatesubsystem == "com.apple.duetactivityscheduler" OR subsystem CONTAINS "com.apple.xpc"
to do that. The first part of it includes those entries from DAS, and the second includes those for XPC and its relatives that run CTS. Using an OR between the two parts combines both sets of entries in the one extract.
To see the reports posted by XProtect Remediator, you need to look at those entries made by its subsystem that have the right category, using the predicatesubsystem == "com.apple.XProtectFramework.PluginAPI" AND category == "XPEvent.structured"
Using the AND operator ensures that the only entries shown come from that one subsystem, and they are given just that category.
Time Machine involves a combination of different subsystems and messages. To get a good overview of relevant entries, you can usesubsystem == "com.apple.TimeMachine" OR
(subsystem == "com.apple.duetactivityscheduler" AND eventMessage CONTAINS[c] "Rescoring all") OR
(subsystem == "com.apple.xpc.activity" AND eventMessage CONTAINS[c] "com.apple.backupd-auto") OR
eventMessage CONTAINS[c] "backup" OR
eventMessage CONTAINS[c] "Time Machine" OR eventMessage CONTAINS[c] "TimeMachine"
I’ve broken this down into separate lines, but you shouldn’t do that in the predicate. Taking it line by line it becomes simpler to understand. Use parentheses () to group each part of the predicate carefully as shown.
You can see other examples in the Help book for my free utility Mints: the Further Information pages towards the end give each of the predicates that Mints uses for its log extracts.
Quick summary
- [field name] [operator] [text or numeric value]
- common field names: senderImagePath, processImagePath, subsystem, eventMessage
- common operators: ==, CONTAINS[c]
- filter info: “text”
- combine filters using AND, OR.
