Searching the Indexed Data
Use the Discover page to search Refinery views for information and insights from your cloud storage files.
The Search Analytics Discover page searches are often the first step for queries on newly indexed data, or for those who want to search for very specific details in their log and event files. When you click Search Analytics in the ChaosSearch console, the Discover page opens and you can start to search with a ChaosSearch view.
A sample discover of an ELB logs view shows the basic steps to select a view, select a timeframe, and then watch for the results:
This example found 1 million results, which are all of the records for this particular view and object group. A wide search for a short period of time can be helpful to fetch sample results, but it is more commonly the case that users and analysts want more refined searches to see the results for very specific criteria.
Below the histogram, Discover returns a detailed view of up to 500 records (the default configured setting) from the matching hits. So a random 500 records from the 1,00,000 hits that were found. The records provide more information for users to scan and review with additional columns of information. The number of returned records is limited for performance, and can be increased or decreased after consultation with ChaosSearch.
Hits, Results, Documents...
Hits, results, records, rows, documents, and data are synonyms for the information returned in a search of the indexed data associated with a Refinery view. Elastic uses the term document (or doc) for the unstructured content that it searches and for a matching result returned in Elastic queries. Search Analytics uses hits as the number of items found in a discover/search of content. SQL uses rows (and columns) for the information returned in SQL SELECT operations, though the term record is sometimes used. All of these terms are used in the ChaosSearch documentation to be flexible with the supported UIs, APIs, and possible integrations with third-party apps that might use these or other terms for results.
Searching One or More Views
You begin the Discover process by selecting a Refinery view to search in the drop-down list. Typically you select one view, and if desired, you can add views to the search using the Add Index Pattern option. The following screen shows a Discover result set of 24 records for the view cloud-iso-region-1 and the Add Index Pattern option to add a second view cloud-iso-region2.
The following screen shows how adding the second view with the data for region 2 returned more results with the additional records for the second region:
You can clear any selected additional views and return to the single view by clicking Clear Index Patterns.
The multi-view feature is helpful in cases where similar data is organized using different views. For example, users might have a view for live log data, and another view for historical/static, log data that was archived to cloud-storage weeks or months before. Some organizations might have unique views of similar data for a specific team or region. With multiview, you can select one view in the drop-down list (the primary view), and select additional views using Add Index Pattern. The Discover will then search across all selected views for the specified criteria and time range.
Some important points about multi-view:
- Use views that share a common schema of columns and data.
- The Discover page areas for Selected fields and Available fields are based on the primary view. While the additional views should have similar columns, the list does not update to show all possible columns.
- Any existing filters for the currently selected view are cleared when you add another view. You must specify the filters for the new search.
- The query returns up to 500 (configured default) records per view. If you query two views, for example, Discover returns up to 500 matching records from each view, for a maximum of up to 1000 records. In the example above, only 48 matching hits were found, so all 48 matching records are returned.
Search Your Data
Discover includes some very useful options for creating refined queries, and for filtering the result output. There are three basic search types in Search Analytics:
- Free text searches – run a wide search for important values (powerful, but usually not the most efficient)
- Field-level searches – search specific fields for values of interest. You can use Dashboards Query Language (DQL) to refine the results.
- Filter-based searches – search fields with UI filtering controls that can help to narrow the results
The Search Analytics/Elastic applications also include support for wildcards, ranges, and regular expression matching options.
Incremental Query Results
When your Discover searches are scanning a very large number of results, ChaosSearch loads the results incrementally until the results are complete. An example follows:
With incremental loading, the Discover results update periodically while the search runs (note the Query in Progress status), and then stop loading when the query is complete. In this way, analysts can start to see the results right away rather than waiting many seconds or possibly a minute for the complete set of results to be returned.
Explore Result Details
The histogram shows a timeline of the results or hits (when a view has time-based data). The results panel below the histogram shows more details about the results. By default, the results are an abbreviated summary of fields (and possibly partial fields for very wide columns). Click the expand button (carat) on the left of any row in the search results to view more information about the record data as a table. Click the carat again to collapse the information back to the default view.
By default, the data is displayed in a tabular format. To view the data as a JSON object, click the JSON tab.
Filtering the Record Display
As shown in the previous examples, the results information could be very dense for some logs and events sources. You can use the Available fields selections in the left list to select the columns that you want to display for the results, which can help to focus the eye on key pieces of information. For example, for the ELB log data, you can use the left controls to show only a subset of columns like cs_uri_stem. You can remove the Selected fields filters to restore the full information:
You can clear a filter fields by hovering over each one in the Selected fields area and clicking the x to remove that option. If you remove all of the selected options, the record display returns to its complete form.
Updated 12 days ago