Explorer Search¶

During the process of data retrieval in various explorers, we can use multiple search and filtering methods, such as fuzzy search, associated search, forward filtering, reverse filtering, etc. Below, we will provide a detailed explanation.

Search Instructions¶

Keyword Search¶

The explorer supports entering keywords in the search bar for retrieval. The query results will highlight the entered keywords, as shown in the figure below.

Wildcard Search¶

The explorer supports entering wildcards for fuzzy matching searches, such as entering global* in the log search bar, which returns log data containing the keyword "global". After "global", there can be any number of characters, as shown in the figure.

Associated Search¶

The explorer supports associated searches using AND/OR/NOT logic, which can be combined with wildcard searches.

Logical Relationship	Description
a AND b	Returns results that include both a and b. The more keywords entered, the more precise the data match. `AND` can be replaced by a `space` or `,`, i.e., `a,b` = `a b` = `a AND b`.
a OR b	Returns results that include either a or b.
NOT c	Returns results that do not include the keyword c.

JSON Search¶

Prerequisite: The workspace must have been created after June 23, 2022.

Currently, the JSON search feature is only available for the log explorer, with instructions as follows:

By default, it performs an exact search on the content of message, and message must be in JSON format; other formats of log content are not supported.
The JSON search format is: @key:value. For multi-level JSON, you can use “.” to connect levels, i.e., @key1.key2:value, as shown in the figure.

Field Filtering¶

In the explorer, you can filter values based on labels/attributes using four filtering methods: forward filtering, reverse filtering, wildcard matching, and reverse wildcard matching.

You can select from a dropdown menu or manually input label content in the specified format and press Enter to filter.
Forward selection, reverse selection, wildcard matching, and reverse wildcard matching are placed under four separate dropdowns, where each label has an and relationship.
If a label has both forward and reverse selection states simultaneously, it will be grayed out and uneditable in quick filters.

Forward Filtering¶

Search using the key:value format for forward filtering, for example: searching for status:error in the log explorer returns all log data where the status is error.

Reverse Filtering¶

Search using the -key:value format for reverse filtering. For example: searching for -status:info in the log explorer returns all log data where the status is not info.

Manually inputting label content for reverse selection

Wildcard Matching (Wildcard Matching)¶

Search using the *key:value format for wildcard matching. Wildcards can be used in the value field for matching. For example: searching for *host:prd-* in the log explorer returns all log data where the hostname starts with prd-.

Manually inputting label content for wildcard matching

Reverse Wildcard Matching (Not Wildcard Matching)¶

Search using the -*key:value format for reverse wildcard matching. Wildcards can be used in the value field for matching. For example: searching for -*service:k8s* in the log explorer returns all log data where the service does not start with k8s. Supports manual input of label content for reverse wildcard matching.

Editing Filters¶

Selected labels support two editing methods:

Single-clicking Labels¶

Single-clicking a label allows you to modify the filtering conditions in the popup dialog. (Note: Label tags do not support pop-up editing.)

Operation Method:
Equals: Positive filtering, supports selecting label values from a dropdown or manually entering label values and pressing Enter;
Not Equals: Reverse filtering, supports selecting label values from a dropdown or manually entering label values and pressing Enter;
Wildcard Matching: Supports entering wildcards for fuzzy matching searches, multiple values can be separated by ",".

Double-clicking Labels¶

Double-clicking a label allows you to manually edit a single filtering condition without being able to edit multiple at once. As shown below.

[key:value] Single-selection Labels

[key:xx Items] Multi-selection Labels

Quick Filter Instructions¶

By default, all label values are selected, indicating no filtering has been applied.

Clicking the checkbox before a label value indicates either "unchecking" or "selecting" that value;
Clicking the "Clear Filters" button in the top-right corner cancels the value filtering for that label;
By default, unchecking the checkbox before a label value indicates reverse selection of that value, continuing to uncheck other checkboxes indicates reverse multi-selection;
Clicking the row of a label value indicates positive single selection of that value "only this item selected", continuing to check other values' checkboxes indicates positive multi-selection;
When a single value has been positively selected, clicking the row of that value again "cancels selection", clearing all filters;
If a label has both positive and reverse selection states simultaneously, it will be grayed out and uneditable in quick filters.

If there are more than 10 attribute values in quick filters, text input is supported for real-time search, and clicking on wildcard matching and reverse wildcard matching is supported for filtering.

Custom Filter Fields¶

In the explorer, you can add new "filter fields" to the "Quick Filters." Two configuration methods are supported: workspace-level filter items and personal-level filter items.

Workspace-Level Filter Items¶

Configured by administrators/owners, click the "Settings" button next to the quick filter to configure workspace-level filter items. Supports adding fields, editing field aliases, adjusting field order, deleting fields.

Note: Workspace-level filter items can be viewed by all members of the workspace, but regular members and standard members cannot edit, delete, or move them.

Personal-Level Filter Items¶

All members can configure local browser-based quick filter items. Click the "Edit" button to the right of the quick filter to configure personal-level filter items. Supports adding fields, editing field aliases, adjusting field order, deleting fields.

Note: Personal-level filter items can only be viewed by the current user, other workspace members cannot view them.

Time Component Instructions¶

TrueWatch supports controlling the data display range of the current explorer via the time component. Users can quickly select built-in time ranges or customize time ranges through "start time" and "end time."

Time Range

"Quick Select" presets multiple time ranges, including relative times (yesterday, last week, last month, etc.) and recent times (last 15 minutes, last hour, last day, etc.).

Data Refresh Time

TrueWatch time component data refresh time defaults to 30 seconds.

Click the "Pause" button to exit real-time data refresh mode and lock the current time range as absolute time.

For example: If the time range is set to "Last 15 Minutes," then when the "Pause" button is clicked, the explorer's time range shifts forward to 15 minutes.

URL Time Range¶

In addition to the time range selection provided by the time control, TrueWatch also supports directly modifying the time parameter in the browser's URL to perform data queries for the current workspace explorer. It supports four units: seconds, minutes, hours, and days, such as time=30s, time=20m, time=6h, time=2d, as shown in the figure where the browser modifies time=2h, displaying data for the last 2 hours.

Note:

Each unit can only be used independently, not in combination.
When the selected or manually entered time range in the browser is greater than or equal to 1d, the explorer automatically stops playback mode.