Dynamic Source Filters
Source filters are used in dashboards, alarms, and the situation room to focus on a subset of all available sources. Until now, source filters could only be defined as a list of specific, ‘hardcoded,’ sources.
With the advent of dynamic source filters we have introduced new and far more flexible methods of both creating filters and specifying the members of the source list. Further, membership in a filter is now dynamic. That is to say that a source may come and go from a filter as the source’s properties fulfill the membership selection criteria of the filter.
Presently, dynamic source filter selection criteria are limited to: a) source name patterns, and; b) and how recently data has been received for the source. In the near future, additional properties such as ec2 tags will be available in the selection criteria. These criteria are specified using anew simple query syntax which is described below.
Finally, it’s worth pointing out that one can configure an alarm to monitor a list of sources defined by a source filter – which is now dynamic – so that when a new source is added to Pulse one no longer needs to manually add source to one or more filter lists.
To review a video of the feature please see the following link.
Search in Dashboard Legend
The dashboard’s legend has been enhanced by the addition of a search box which provides the ability to enter a source query that immediately filters the sources in the current view. Type your query into the search box and see the resulting list. When you are happy with the results, press Enter and the listed sources will be selected into the current legend. This replaces the need for the ‘delete’ button next to each source, and hence the delete button has been removed from the legend.
Source Filter Definitions
The Settings -> Filters -> Add Filter panel has been completely overhauled. Prior to this update, the panel only provided the ability to add or modify the source names in a filter list:
The significantly enhanced panel now provides for entry of a query (selection criteria) and an optional description of the filter. It displays of the list’s membership as well. The panel is interactive in that as the query is being entered, the membership list is updated in real time.
Note that when we enhanced source filters, we converted any existing source filters from the older simple host lists to new selection queries. Users may find that they want to re-define their existing queries to take advantage of the new source query capabilities.
Pulse’s new source query language provides a mechanism for creating dynamic lists of sources which are in turn used in source filter defini-tions and dashboard legend searches and selections.
Available criteria are source name patterns, and the relative time since data was last seen from the sources.
For example, to create a filter that includes all sources that contain the text “prod” which have been active in the last two hours you would cre-ate a filter with the query:
prod && last: 2h
By default, queries are implied substring searches. Examples follow.
This query returns all sources that contain “prod” in the source name. Matched sources would include:
This is an explicit version of the previous example. The wild-carding is explicitly defined but has the same effect of returning all sources that contain the string.
This query searches for “sources that start with” and would match:
This query searches for “sources that end with” and would match:
This query would have the following valid matches:
To find a specific source that must be an exact match, one must surround the string search with double quotes. For example:
This query will return a source which has a name "service-24.prod.domain.com".
Relative Active Time
To find sources that have reported within the last few hours you can use the following query:
This query will return all sources that have been active in the last 24 hours.
Relative Active Time with comparisons
Alternatively this same time modifier can be written like the following:
last > 24h
The following query will return all sources that have not been active in the last 2 hours.
last < 2h
Binary Comparison "AND" Queries:
This query will return only the matching sources that matched in our implicit wildcard query example earlier which have sent data within the last 2 hours:
prod && last: 2h
Alternatively you can use the word “AND” which has the exact same effect:
prod and last: 2h
Binary Comparison "OR" Queries:
This query will return the matching sources from our implicit wildcard query example as well as any other sources that have been active within the last 2 hours:
prod || last: 2h
Alternatively, you can use the word “OR” which has the exact same effect:
prod or last: 2h
Chained Comparison Queries:
This query is effectively processed like ((prod || staging) && last: 24h) due to typical order of operations.
prod || staging && last: 24h