Facet search for logs
Facet searches enable you to filter logs based on specific key-value pairs (facets) present in your logs.
Use both facets and labels
Kloudface leverages two data sources to provide comprehensive filtering capabilities: facets and labels.
The distinction between automatically extracted facets and predefined environment labels enables you to filter logs based on both the inherent content of the message and the broader environment where it originates. This two-pronged approach offers a powerful and flexible way to pinpoint the specific logs necessary for troubleshooting and analysis.
Automatically-extracted facets
When Kloudfuse parses the log message content using predefined heuristics, it dynamically generates facets. This approach identifies key-value pairs inherent to the log data itself.
Consider the following log line:
User=Sherlock logged into an EC2 machine with e2_instance_id=0xABCD at time=10am
Kloudfuse automatically extracts these facets:
User=Sherlock e2_instance_id=0xABCD time=10am
Predefined environment labels
Similar to Automatically-extracted facets, you can search labels using the same search heuristics.
The labels are pre-configured key-value pairs associated with each log line, and provide contextual details about the environment where the log originated. This information typically includes data like pod name, Kubernetes namespace, cloud region, or any other relevant metadata attached to the log during ingestion.
Common examples of environment labels include:
- pod_name
-
Identifies the specific pod that generated the log message, such as
pod_name=request_handler.
- cloud_region
-
Indicates the cloud region where the log originated, such as
cloud_region=us-west-2c.
- kube_namespace
-
Specifies the Kubernetes namespace associated with the log, such as
kube_namespace=kloudfuse.
Search facets
There are several approaches to searching facets:
-
Start by typing symbol @, and continue typing the search terms.
-
Pick the detailed view of a log line, and select the facet name or value.
-
From the sidebar, select any of the existing labels.
Supported data types
Each Facet is associated with a data type.
Facet search supports all data types; see Search data types.
Supported operators
Facet search supports all operators; see Search operators.
|
Facet search is case-sensitive. |
Supported set combinations
- AND
-
Facet search fully supports the intersection operator.
- OR
-
Facet search supports the union operator only on the same facet, not across two or more facets.
|
Some set operators only work with a subset of data types. |
Examples of facet search
Here are some examples of facet search:
-
Simple facet search illustrates how to use simple operator search.
-
Facet combinations and unions lists all possible union combinations with Facet Search.
Kloudfuse does not support
OR-based search of two or more facet searches, such asFacet1-Value OR Facet2-Value. -
Facet Key Existence shows how to determine the existence of specific facets (keys) within the logs.
Kloudfuse does not support union (
OR) existence checks, such askey exists="Facet1 OR Facet2".Simple facet search Operator Example Equals to
@facet="value"
Not Equals to
@facet!="value"
Facet Terms Exist
@facet=="value"
Not - Facet Terms Exist
@facet!=="value"
Greater Than Equal to
@facet>="value"
Greater Than
@facet>"value"
Less Than Equal to
@facet⇐"value"
Less Than
@facet<"value"
Regex
@facet=~"value"
Not Regex
@facet!~"value"
Starts With
@facet*~"value"
Contains
@facet**"value"
Ends With
@facet~*"value"
Facet combinations and unions Operator Example Supported data types Facet1-Value1 AND Facet1-Value2
@f1="v1" @f1="v2"
All
Facet1-Value1 AND Facet2-Value2
@f1="v1" @f2="v2"
All
Facet1-Value1 OR Facet1-Value2
@f1="v1 OR v2"
All
Facet1-Value1 OR Facet1-Value2
@f1="v1 \OR v2"
All
Facet Key Existence Operator Example Supported data types key exists=Facet
key exists="f1"
All
Key NOT exists=Facet
Key exists!=”f1”
All
key exists="Facet1 AND Facet2"
key exists="f1" key exists="f2"
All
Not supported:
key exists="Facet1 OR Facet2"
Facets V/s Labels
