LogoLogo
Log in|Playground
  • Welcome
    • Introduction
    • FAQ
  • Capabilities
    • Log Management
    • Infrastructure Monitoring
    • Application Performance Monitoring (APM)
      • Application Metrics
      • Traces
      • Supported Technologies
    • Real User Monitoring (RUM)
  • Getting Started
    • Requirements
      • Kubernetes requirements
      • Kernel requirements for eBPF sensor
      • CPU architectures
      • ClickHouse resources
    • Installation & updating
    • Connect Linux hosts
    • Connect RUM
    • 5 quick steps to get you started
    • groundcover MCP
      • Configure groundcover's MCP Server
      • Getting-started Prompts
      • Real-world Use Cases
  • Use groundcover
    • Monitors
      • Create a new Monitor
      • Issues page
      • Monitor List page
      • Silences page
      • Monitor Catalog page
      • Monitor YAML structure
      • Embedded Grafana Alerts
        • Create a Grafana alert
    • Dashboards
      • Create a dashboard
      • Embedded Grafana Dashboards
        • Create a Grafana dashboard
        • Build alerts & dashboards with Grafana Terraform provider
        • Using groundcover datasources in a Self-hosted Grafana
    • Insights
    • Explore & Monitors query builder
    • Workflows
      • Create a new Workflow
      • Workflow Examples
      • Alert Structure
    • Search & Filter
    • Issues
    • Role-Based Access Control (RBAC)
    • Service Accounts
    • API Keys
    • APIs
    • Log Patterns
    • Drilldown
    • Scraping custom metrics
      • Operator based metrics
      • kube-state-metrics
      • cadvisor metrics
    • Backup & Restore Metrics
    • Metrics & Labels
    • Add custom environment labels
    • Configuring Pipelines
      • Writing Remap Transforms
      • Logs Pipeline Examples
      • Traces Pipeline Examples
      • Logs to Events Pipeline Examples
      • Logs/Traces Sensitive Data Obfuscation
      • Sensitive Data Obfuscation using OTTL
      • Log Filtering using OTTL
    • Querying your groundcover data
      • Query your logs
        • Example queries
        • Logs alerting
      • Query your metrics
      • Querying you data using an API
      • Using KEDA autoscaler with groundcover
  • Log Parsing with OpenTelemetry Pipelines
  • Log and Trace Correlation
  • RUM
  • Customization
    • Customize deployment
      • Agents in host network mode
      • API Key Secret
      • Argo CD
      • On-premise deployment
      • Quay.io registry
      • Configuring sensor deployment coverage
      • Enabling SSL Tracing in Java Applications
    • Customize usage
      • Filtering Kubernetes entities
      • Custom data retention
      • Sensitive data obfuscation
      • Custom storage
      • Custom logs collection
      • Custom labels and annotations
        • Enrich logs and traces with pod labels & annotations
        • Enrich metrics with node labels
      • Disable tracing for specific protocols
      • Tuning resources
      • Controlling the eBPF sampling mechanism
  • Integrations
    • Overview
    • Workflow Integrations
      • Slack Webhook Integration
      • Opsgenie Integration
      • Webhook Integration
        • Incident.io
      • PagerDuty Integration
      • Jira Webhook Integration
      • Send groundcover Alerts to Email via Zapier
    • Data sources
      • OpenTelemetry
        • Traces & Logs
        • Metrics
      • Istio
      • AWS
        • Ingest CloudWatch Metrics
        • Ingest CloudWatch Logs
        • Ingest Logs Stored on S3
        • Integrate CloudWatch Grafana Datasource
      • GCP
        • Ingest Google Cloud Monitoring Metrics
        • Stream Logs using Pub/Sub
        • Integrate Google Cloud Monitoring Grafana Datasource
      • Azure
        • Ingest Azure Monitor Metrics
      • DataDog
        • Traces
        • Metrics
      • FluentBit
      • Fluentd
      • JSON Logs
    • 3rd-party metrics
      • ActiveMQ
      • Aerospike
      • Cassandra
      • CloudFlare
      • Consul
      • CoreDNS
      • Etcd
      • HAProxy
      • Harbor
      • JMeter
      • K6
      • Loki
      • Nginx
      • Pi-hole
      • Postfix
      • RabbitMQ
      • Redpanda
      • SNMP
      • Solr
      • Tomcat
      • Traefik
      • Varnish
      • Vertica
      • Zabbix
    • Source control (Gitlab/Github)
  • Architecture
    • Overview
    • inCloud Managed
      • Setup inCloud Managed with AWS
        • AWS PrivateLink Setup
        • EKS add-on
      • Setup inCloud Managed with GCP
      • Setup inCloud Managed with Azure
      • High Availability
      • Disaster Recovery
      • Ingestion Endpoints
      • Deploying in Sensor-Only mode
    • Security considerations
      • Okta SSO - onboarding
    • Service endpoints inside the cluster
  • Product Updates
    • What's new?
    • Earlier updates
      • 2025
        • Mar 2025
        • Feb 2025
        • Jan 2025
      • 2024
        • Dec 2024
        • Nov 2024
        • Oct 2024
        • Sep 2024
        • Aug 2024
        • July 2024
        • May 2024
        • Apr 2024
        • Mar 2024
        • Feb 2024
        • Jan 2024
      • 2023
        • Dec 2023
        • Nov 2023
        • Oct 2023
Powered by GitBook
On this page
  • Search and filter
  • Query Builder
  • How to use filters
  • Advanced Query
  • Switching between Query Builder and Advanced Query modes
Export as PDF
  1. Use groundcover

Search & Filter

Last updated 1 month ago

Search and filter

To help you slice and dice your data, you can use our dynamic filters (left panel) and/or our powerful querying capabilities:

  1. Query Builder - Supports key:value pairs, as well as free text search. The Query Builder works in tandem with our filters.

  2. Advanced Query - Currently available only for our Logs section, enables more complex queries, included nested condition support and explicit use of a variety of operators.

To further focus your results, you can also restrict the results to specific time windows using the time picker on the upper right of the screen.

Query Builder

The Query Builder is the default search option wherever search is available. Supporting advanced autocomplete of keys, values, and our discovery mode that across values in your data to teach users the data model.

The following syntaxes are available for you to use in Query Builder:

Syntax
Description
Examples
Sections

key:value

Search attributes:

Both groundcover built-ins custom attributes.

Use * for wildcard search. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

namespace:prod-us namespace:prod-*

Logs Traces K8s Events API Catalog Issues

term

Free text: Search for single-word terms. Tip: Expand your search results by using wildcards.

Exception DivisionBy*

Logs

"term"

Phrase Search (case-insensitive): Enclose terms within double quotes to find results containing the exact phrase. Note: Using double quotes does not work with * wildcards.

"search term"

Logs

-key:value

Exclude: Specify terms or filters to omit from your search; applies to each distinct search.

-key:value -term -"search term"

Logs Traces K8s Events API Catalog Issues

*:value

Search all attributes:

Search any attribute for a value, you can use double quotes for exact match and wildcards.

*:error *:"POST /api/search" *:erro*

Logs Traces Issues

How to use filters

Filters are very easy to add and remove, using the filters menu on the left bar. You can combine filters with the Query Builder, and filters applied using the left menu will also be added to the Query Builder in text format.

  • Select / deselect a single filter - click on the checkbox on the left of the filter. (You can also deselect a filter by clicking the 'x' next to the text format of the filter on the search bar).

  • Deselect all but one filter (within a filter category, such as 'Level' or 'Format') - hover over the filter you want to leave on, then click on "ONLY".

    • You can switch between filters you want to leave on by hovering on another filter and clicking "ONLY" again.

    • To turn all other filters in that filter category back on, hover over the filter again and click "ALL".

  • Clear all filters within a filters category - click on the funnel icon next to the category name.

  • Clear all filters currently applied - click on the funnel icon next to the number of results.

Advanced Query

Advanced Query is currently available only in the Logs section.

Filters are not available in Advanced Query mode.

The following syntaxes are available for you to use in Advanced Query:

Syntax
Description
Examples
Sections

key:value

Filters: Use golden filters to narrow down your search. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

level:error

Logs

@key:value

Attributes: Search within the content of attributes. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.

@transaction.id:123

Logs

term

Free text (exact match): Search for single-word terms. Tip: Expand your search results by using wildcards.

term

Logs

" "

Phrase Search (case-insensitive): Enclose terms within double quotes to find results containing the exact phrase.

"search term"

Logs

~

Wildcard: Search for partial matches. Note: Wildcards must be added before the search term or value, and will always be treated as a partial match search.

key:~val

@key:~val

~term

~"search phrase"

Logs

NOT !

Exclude: Specify terms or filters to omit from your search; applies to each distinct search.

!key:value NOT @key:value NOT term !"search term"

Logs

key:""

Identify cases where key does not exist or is empty

pid:""

Logs

key:=# key:># key:<#

Search for key:pair values where the value is equal, greater than, or smaller than, a specified number.

threadPriority:>5

Logs

key:(val1 or val2)

Search for key:value pairs using a list of values.

level:(error or info)

Logs

query1 or query2

Use OR operator to display matches on either queries

level:error or format:json

Logs

query1 and query2

Use AND operator to display matches on both queries

level:error and format:json

Logs

"Search term prefix"*

Exact phrase prefix search

"Error 1064 (42"*

Logs

Additional examples of how to use Advanced Query mode:

Find all logs with level 'error' or 'warning', in 'json' or 'logfmt' format, where the status code is 500 or 503, the request path contains '/api/v1/', and exclude logs where the user agent is 'vmagent' or 'curl':

level:(error or warning) format:(json or logfmt) status_code:(500 or 503) @request.path:~"/api/v1/" NOT user_agent:(vmagent or curl)

Find logs where the bytes transferred are greater than 10000, the request method is POST, the host is not '10.1.11.65', and the namespace is 'production' or 'staging':

bytes:>10000 @request.method:POST NOT host:10.1.11.65 namespace:(production or staging)

Find logs from pods starting with 'backend-' in 'cluster-prod', where the level is 'error', the status code is not 200 or 204, and the request protocol is 'HTTP/2.0':

pod:~backend- cluster:cluster-prod level:error NOT status_code:(200 or 204) @request.protocol:"HTTP/2.0"

Find logs where the 'user_agent' field is empty or does not exist, the request path starts with '/admin', and the status code is greater than 400:

user_agent:"" @request.path:~"/admin" status_code:>400

Find logs in 'json' format from hosts starting with 'ip-10-1-', where the level is 'unknown', the container name contains 'redis', excluding logs with bytes transferred equal to 0:

format:json host:~"ip-10-1-" level:unknown container:~redis NOT bytes:0

Find logs where the time is '18/Sep/2024:07:25:46 +0000', the request method is GET, the status code is less than 200 or greater than 299, and the host is '10.1.11.65':

@time:"18/Sep/2024:07:25:46 +0000" @request.method:GET (status_code:<200 status_code:>299) host:10.1.11.65

Find logs where the level is 'info', the format is 'clf', the namespace is 'production', the pod name contains 'web', and exclude logs where the user agent is 'vmagent':

level:info format:clf namespace:production pod:~web NOT user_agent:vmagent

Find logs where the container name does not exist, the cluster is 'cluster-prod', the request path starts with '/internal', and the request protocol is 'HTTP/1.1':

container:"" cluster:cluster-prod @request.path:~"/internal" @request.protocol:"HTTP/1.1"

Find logs where the bytes transferred are greater than 5000, the request method is PUT or DELETE, the status code is 403 or 404, and the host is not '10.1.11.65':

bytes:>5000 @request.method:(PUT or DELETE) status_code:(403 or 404) NOT host:10.1.11.65

Find logs where the format is 'unknown', the level is not 'error', the user agent is 'curl', and the pod name starts with 'test-':

format:unknown NOT level:error user_agent:curl pod:~test-

Switching between Query Builder and Advanced Query modes

By default, the search bar will be displayed in Query Builder mode. Use the button on the right of the search bar to switch back and forth between the Query Builder and Advanced Query.

Switch to Advanced Query mode
Switch to Query Builder mode