Search¶
Text Search¶
Search generally consists of terms and operators. Wildcard queries are supported:
*matches 0 or more arbitrary characters;?matches 1 arbitrary character.
Multiple terms can be combined into complex queries using Boolean operators (AND/OR/NOT).
Note
Explorer search uses the query_string() query syntax.
Terms can be words or phrases. For example:
- Single word:
platform; - Multiple words:
platform test; (equivalent toplatform AND test) - Phrase:
"platform test"; (using double quotes converts a group of words into a phrase)
JSON Search¶
Prerequisites
- Workspace created after
June 23, 2022; - Used in the Log Explorer.
By default, it performs an exact search on the content of message, and message must be in JSON format. Log content in other formats does not support this search method. The search format is: @key:value. For multi-level JSON, use . to connect key names, such as @key1.key2:value, as shown in the figure:
Example scenario:
message information is as follows:
{
__namespace:tracing,
cluster_name_k8s:k8s-demo,
meta:{
service:ruoyi-mysql-k8s,
name:mysql.query,
resource:select dict_code, dict_sort, dict_label, dict_value, dict_type, css_class, list_class, is_default, status, create_by, create_time, remark
from sys_dict_data
}
}
# Query cluster_name_k8s = k8s-demo
@cluster_name_k8s:k8s-demo // Exact match
@cluster_name_k8s:k?s* // Fuzzy match
# Query meta.service = ruoyi-mysql-k8s
@meta.service:ruoyi-mysql-k8s // Exact match
@meta.service:ruoyi?mysql* // Fuzzy match
Special Scenario .¶
Field name with dot . handling specification: The parser recognizes . as a hierarchy operator during the lexical analysis phase, and \ is the only valid escape character. Double quotes are disabled due to syntax conflicts.
Core Rules¶
-
In JSON queries under Doris and ScopeDB modes,
.represents nested field levels (e.g.,@error.detail.code:500represents a three-level nested structure). -
When the field name itself contains
.(e.g.,trace.id), use a backslash\to escape:- Correct format:
@field_name\.with\.dots:value, such as@trace\.id:12345,@app\.version:2.1
- Correct format:
-
Prohibited Actions
-
Directly using unescaped dots:
@trace.id:12345(will be parsed as nested fields) -
Wrapping field names in double quotes:
@"trace.id":12345(not supported across the board)
-
Important Notes
-
Unified Escape Rule: Doris and ScopeDB only support
\escape, do not support double quotes -
Escape is only for field names: Nested level queries maintain the default format (no need to escape)
-
Consequences of Not Escaping: Dots in field names will be parsed as hierarchical relationships, leading to query errors
Usage Examples Comparison¶
| Scenario | Correct Writing | Incorrect Writing | Parsing Result |
|---|---|---|---|
Field name with dots (user.id) |
@user\.id:1001 |
@user.id:1001 |
Incorrect writing is split into two levels |
Nested level query (log.tag) |
@log.tag:error |
@log\.tag:error |
Incorrect writing leads to no results |
MD5 Function Query¶
If the data is MD5 encrypted and needs to be searched and located in the Explorer after scanning, you can use the MD5 function for querying.
Query Example
You can also use DQL statements combined with the MD5 function for querying:
Search History¶
The system records the conditions of each triggered query, which can be directly reused by clicking.
Search History Merging Records
As a general tool within the platform, the Explorer is applicable to multiple features, and there are some differences in the interoperability of search histories between different features:
- RUM > Session/View/Resource/Action/Long Task/Error six types of Explorer search histories are interoperable;
- Container Explorer and Kubernetes Explorer search histories are interoperable;
- Resource Catalog Explorer search histories are interoperable;
- Log Explorer and Log Error Tracing Explorer search histories are interoperable;
- Trace Explorer, APM Error Tracing, Profiling Explorer search histories are interoperable.
Except for the above cases, other Explorers independently save their own search histories.