Search & Filter

Search and filter

To help you slice and dice your data, you can use our dynamic filters (left panel) and/or our powerful querying capabilities:

  1. Query Builder - Supports key:value pairs, as well as free text search. The Query Builder works in tandem with our filters.

  2. Advanced Query - Currently available only for our Logs section, enables more complex queries, included nested condition support and explicit use of a variety of operators.

To further focus your results, you can also restrict the results to specific time windows using the time picker on the upper right of the screen.

Query Builder

The Query Builder is the default search option wherever search is available. Supporting advanced autocomplete of keys, values, and our discovery mode that across values in your data to teach users the data model.

The following syntaxes are available for you to use in Query Builder:

Syntax
Description
Examples
Sections

key:value

Filters: Use golden filters to narrow down your search. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

level:error

Logs Traces K8s Events API Catalog

@key:value

Attributes: Search within the content of attributes. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

@transaction.id:123

Logs Traces

term

Free text (exact match): Search for single-word terms. Tip: Expand your search results by using wildcards.

term

Logs K8s Events

" "

Phrase Search (case-insensitive): Enclose terms within double quotes to find results containing the exact phrase.

"search term"

Logs K8s Events

*

Wildcard: Search for partial matches. Note: Wildcards are enabled in all searches except phrase search, where they will be treated as an asterisk character.

key:val*

@key:val*

te*

Logs Traces K8s Events API Catalog

-

Exclude: Specify terms or filters to omit from your search; applies to each distinct search.

-key:value -@key:value -term -"search term"

Logs Traces K8s Events API Catalog

*:""

Hollistic Attribute Search Search for a particular value

*:"error"

Logs Traces

How to use filters

Filters are very easy to add and remove, using the filters menu on the left bar. You can combine filters with the Query Builder, and filters applied using the left menu will also be added to the Query Builder in text format.

  • Select / deselect a single filter - click on the checkbox on the left of the filter. (You can also deselect a filter by clicking the 'x' next to the text format of the filter on the search bar).

  • Deselect all but one filter (within a filter category, such as 'Level' or 'Format') - hover over the filter you want to leave on, then click on "ONLY".

    • You can switch between filters you want to leave on by hovering on another filter and clicking "ONLY" again.

    • To turn all other filters in that filter category back on, hover over the filter again and click "ALL".

  • Clear all filters within a filters category - click on the funnel icon next to the category name.

  • Clear all filters currently applied - click on the funnel icon next to the number of results.

Advanced Query

Advanced Query is currently available only in the Logs section.

Filters are not available in Advanced Query mode.

The following syntaxes are available for you to use in Advanced Query:

Syntax
Description
Examples
Sections

key:value

Filters: Use golden filters to narrow down your search. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

level:error

Logs

@key:value

Attributes: Search within the content of attributes. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

@transaction.id:123

Logs

term

Free text (exact match): Search for single-word terms. Tip: Expand your search results by using wildcards.

term

Logs

" "

Phrase Search (case-insensitive): Enclose terms within double quotes to find results containing the exact phrase.

"search term"

Logs

~

Wildcard: Search for partial matches. Note: Wildcards must be added before the search term or value, and will always be treated as a partial match search.

key:~val

@key:~val

~term

~"search phrase"

Logs

NOT !

Exclude: Specify terms or filters to omit from your search; applies to each distinct search.

!key:value NOT @key:value NOT term !"search term"

Logs

key:""

Identify cases where key does not exist or is empty

pid:""

Logs

key:=# key:># key:<#

Search for key:pair values where the value is equal, greater than, or smaller than, a specified number.

threadPriority:>5

Logs

key:(val1 or val2)

Search for key:value pairs using a list of values.

level:(error or info)

Logs

query1 or query2

Use OR operator to display matches on either queries

level:error or format:json

Logs

query1 and query2

Use AND operator to display matches on both queries

level:error and format:json

Logs

"Search term prefix"*

Exact phrase prefix search

"Error 1064 (42"*

Logs

Additional examples of how to use Advanced Query mode:

Find all logs with level 'error' or 'warning', in 'json' or 'logfmt' format, where the status code is 500 or 503, the request path contains '/api/v1/', and exclude logs where the user agent is 'vmagent' or 'curl':

level:(error or warning) format:(json or logfmt) status_code:(500 or 503) @request.path:~"/api/v1/" NOT user_agent:(vmagent or curl)

Find logs where the bytes transferred are greater than 10000, the request method is POST, the host is not '10.1.11.65', and the namespace is 'production' or 'staging':

bytes:>10000 @request.method:POST NOT host:10.1.11.65 namespace:(production or staging)

Find logs from pods starting with 'backend-' in 'cluster-prod', where the level is 'error', the status code is not 200 or 204, and the request protocol is 'HTTP/2.0':

pod:~backend- cluster:cluster-prod level:error NOT status_code:(200 or 204) @request.protocol:"HTTP/2.0"

Find logs where the 'user_agent' field is empty or does not exist, the request path starts with '/admin', and the status code is greater than 400:

user_agent:"" @request.path:~"/admin" status_code:>400

Find logs in 'json' format from hosts starting with 'ip-10-1-', where the level is 'unknown', the container name contains 'redis', excluding logs with bytes transferred equal to 0:

format:json host:~"ip-10-1-" level:unknown container:~redis NOT bytes:0

Find logs where the time is '18/Sep/2024:07:25:46 +0000', the request method is GET, the status code is less than 200 or greater than 299, and the host is '10.1.11.65':

@time:"18/Sep/2024:07:25:46 +0000" @request.method:GET (status_code:<200 status_code:>299) host:10.1.11.65

Find logs where the level is 'info', the format is 'clf', the namespace is 'production', the pod name contains 'web', and exclude logs where the user agent is 'vmagent':

level:info format:clf namespace:production pod:~web NOT user_agent:vmagent

Find logs where the container name does not exist, the cluster is 'cluster-prod', the request path starts with '/internal', and the request protocol is 'HTTP/1.1':

container:"" cluster:cluster-prod @request.path:~"/internal" @request.protocol:"HTTP/1.1"

Find logs where the bytes transferred are greater than 5000, the request method is PUT or DELETE, the status code is 403 or 404, and the host is not '10.1.11.65':

bytes:>5000 @request.method:(PUT or DELETE) status_code:(403 or 404) NOT host:10.1.11.65

Find logs where the format is 'unknown', the level is not 'error', the user agent is 'curl', and the pod name starts with 'test-':

format:unknown NOT level:error user_agent:curl pod:~test-

Switching between Query Builder and Advanced Query modes

By default, the search bar will be displayed in Query Builder mode. Use the button on the right of the search bar to switch back and forth between the Query Builder and Advanced Query.

Last updated