# Working with Aggregated Logs Aggregated logs are just regular logs with specific [nimbus attributes](/resources/ref.attributes.md). The individual payload of the pre-aggregated logs can be found in the `nimdata` field which is an array of the underlying log events. The message field is an array of the original [log bodies](/overview/concepts.md#log-body) ## Search When searching for values within a JSON array, use the same syntax as when searching a regular property. ```yaml { message: ["item 123 refreshed", "item 345 refreshed", "item 567 error"], jobId: 1, nimdata: [ { jobId: 1, message: "item 123 refreshed", category: "luxury" }, { jobId: 1, message: "item 345 refreshed", category: "toys" }, { jobId: 1, message: "item 567 refreshed", category: "luxury" } ] ... } ``` For example, to find log messages with "error", you can use the following search ``` "error" ``` Searching for values within a JSON array of objects, you can use the following search ``` @nimdata.category:"luxury" ``` ## Monitors Nimbus is compatible with existing log monitoring setups. We'll walkthrough three common scenarios below and how monitors would behave after Nimbus: ### Error Monitors These are monitors that alert based on logs with errors. Error logs are automatically detected by Nimbus and go through a separate pipeline that [bypasses aggregation](/additional-features/advanced.error-detection.md). This means any monitors on error logs will be unaffected. ### Count based monitors These are monitors that measure the number of logs during a set interval. You can retrieve the original size of of pre-aggregated logs by using `Sum of @nimsize` instead of `Count of All Logs`. > Original Monitor based on Count ![Original Monitor based on Count](https://ik.imagekit.io/fpjzhqpv1/t1_GJ0Y_FcA8i.jpg?updatedAt=1707333218591) > Aggregated Monitor based on @nimsize ![Aggregated Monitor based on @nimsize](https://ik.imagekit.io/fpjzhqpv1/t2_8ZXmygOvX.jpg?updatedAt=1707333218799) ### Attribute based monitors These are monitors that depend on a specific attribute within the aggregated log. You can either modify the monitor to alarm based on the nested attribute or use the [pull\_up](/overview/ntl/ntl.transforms.md#pull_up) directive to keep attributes that you alarm on at the top level. ## Dashboards All instructions for monitors also apply to dashboards. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nimbus.dev/overview/logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.