Search & Filter
Search and filter
To help you slice and dice your data, you can use our dynamic filters (left panel) and/or our powerful querying capabilities:
Query Builder - Supports key:value pairs, as well as free text search. The Query Builder works in tandem with our filters.
Advanced Query - Currently available only for our Logs section, enables more complex queries, included nested condition support and explicit use of a variety of operators.
To further focus your results, you can also restrict the results to specific time windows using the time picker on the upper right of the screen.
Query Builder
The Query Builder is the default search option wherever search is available. Supporting advanced autocomplete of keys, values, and our discovery mode that across values in your data to teach users the data model.
The following syntaxes are available for you to use in Query Builder:
key:value
Filters: Use golden filters to narrow down your search. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.
level:error
Logs Traces K8s Events API Catalog
@key:value
Attributes: Search within the content of attributes. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.
@transaction.id:123
Logs Traces
term
Free text (exact match): Search for single-word terms.
Tip: Expand your search results by using wildcards.
term
Logs K8s Events
" "
Phrase Search (case-insensitive): Enclose terms within double quotes to find results containing the exact phrase.
"search term"
Logs K8s Events
*
Wildcard: Search for partial matches. Note: Wildcards are enabled in all searches except phrase search, where they will be treated as an asterisk character.
key:val*
@key:val*
te*
Logs Traces K8s Events API Catalog
-
Exclude: Specify terms or filters to omit from your search; applies to each distinct search.
-key:value
-@key:value
-term
-"search term"
Logs Traces K8s Events API Catalog
*:""
Hollistic Attribute Search Search for a particular value
*:"error"
Logs Traces
How to use filters
Filters are very easy to add and remove, using the filters menu on the left bar. You can combine filters with the Query Builder, and filters applied using the left menu will also be added to the Query Builder in text format.
Select / deselect a single filter - click on the checkbox on the left of the filter. (You can also deselect a filter by clicking the 'x' next to the text format of the filter on the search bar).
Deselect all but one filter (within a filter category, such as 'Level' or 'Format') - hover over the filter you want to leave on, then click on "ONLY".
You can switch between filters you want to leave on by hovering on another filter and clicking "ONLY" again.
To turn all other filters in that filter category back on, hover over the filter again and click "ALL".
Clear all filters within a filters category - click on the funnel icon next to the category name.
Clear all filters currently applied - click on the funnel icon next to the number of results.
Advanced Query
Advanced Query is currently available only in the Logs section.
Filters are not available in Advanced Query mode.
The following syntaxes are available for you to use in Advanced Query:
key:value
Filters: Use golden filters to narrow down your search. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.
level:error
Logs
@key:value
Attributes: Search within the content of attributes. Note: Multiple filters for the same key act as 'OR' conditions, whereas multiple filters for different keys act as 'AND' conditions.
@transaction.id:123
Logs
term
Free text (exact match): Search for single-word terms.
Tip: Expand your search results by using wildcards.
term
Logs
" "
Phrase Search (case-insensitive): Enclose terms within double quotes to find results containing the exact phrase.
"search term"
Logs
~
Wildcard: Search for partial matches. Note: Wildcards must be added before the search term or value, and will always be treated as a partial match search.
key:~val
@key:~val
~term
~"search phrase"
Logs
NOT
!
Exclude: Specify terms or filters to omit from your search; applies to each distinct search.
!key:value
NOT @key:value
NOT term
!"search term"
Logs
key:""
Identify cases where key does not exist or is empty
pid:""
Logs
key:=#
key:>#
key:<#
Search for key:pair values where the value is equal, greater than, or smaller than, a specified number.
threadPriority:>5
Logs
key:(val1 or val2)
Search for key:value pairs using a list of values.
level:(error or info)
Logs
query1 or query2
Use OR operator to display matches on either queries
level:error or format:json
Logs
query1 and query2
Use AND operator to display matches on both queries
level:error and format:json
Logs
"Search term prefix"*
Exact phrase prefix search
"Error 1064 (42"*
Logs
Additional examples of how to use Advanced Query mode:
Find all logs with level 'error' or 'warning', in 'json' or 'logfmt' format, where the status code is 500 or 503, the request path contains '/api/v1/', and exclude logs where the user agent is 'vmagent' or 'curl':
Find logs where the bytes transferred are greater than 10000, the request method is POST, the host is not '10.1.11.65', and the namespace is 'production' or 'staging':
Find logs from pods starting with 'backend-' in 'cluster-prod', where the level is 'error', the status code is not 200 or 204, and the request protocol is 'HTTP/2.0':
Find logs where the 'user_agent' field is empty or does not exist, the request path starts with '/admin', and the status code is greater than 400:
Find logs in 'json' format from hosts starting with 'ip-10-1-', where the level is 'unknown', the container name contains 'redis', excluding logs with bytes transferred equal to 0:
Find logs where the time is '18/Sep/2024:07:25:46 +0000', the request method is GET, the status code is less than 200 or greater than 299, and the host is '10.1.11.65':
Find logs where the level is 'info', the format is 'clf', the namespace is 'production', the pod name contains 'web', and exclude logs where the user agent is 'vmagent':
Find logs where the container name does not exist, the cluster is 'cluster-prod', the request path starts with '/internal', and the request protocol is 'HTTP/1.1':
Find logs where the bytes transferred are greater than 5000, the request method is PUT or DELETE, the status code is 403 or 404, and the host is not '10.1.11.65':
Find logs where the format is 'unknown', the level is not 'error', the user agent is 'curl', and the pod name starts with 'test-':
Switching between Query Builder and Advanced Query modes
By default, the search bar will be displayed in Query Builder mode. Use the button on the right of the search bar to switch back and forth between the Query Builder and Advanced Query.
Last updated