Events Explorer
An event is any incident or occurrence that can be tracked and that affects an entity in an observable way. In SolarWinds Observability an event can be:
- An anomaly
- An alert
- A change event
- A health score change
- Database events
- Kubernetes events
All events are shown in the Events Explorer.
Open the Events Explorer
In the left pane, click Analyze > Events. The Events Explorer lists events affecting all of your observed entities.
Events Explorer consists of the search bar, a chart displaying events occurring on a time axis, as well as the list of events.
In the search bar, you can filter events based on their type, time period, or any detailed event field. You can also enable comparison mode, which shows the difference between two points in time on the chart.
Position your mouse pointer over the chart to see how many events occurred at a specific point in time.
Locate an event
Use the Search box to search for a specific event or to filter the list of events. When you enter a string in the Search box, the Events Explorer displays only the events that contain the selected field or value.
The search query can be constructed using the following operators:
| Operator | Search results |
|---|---|
| term1 | containing term 1 |
| term1 and term2 | containing both term1 and term2 |
| term1 or term2 | one or more from either term1 or term2 (exclusively) |
| ~term1 | a partial match |
| !~term1 | exclude a partial match (negation) |
| (term1, term2, term3) OR (term4, term5, term6) | one group of terms or other group of terms |
Attributes in SolarWinds Observability are used in key:value fashion. An example search that constrains results to those from the ssh program containing “something bad” but not “noise”, or those with an error severity, is:
("something bad" program:ssh -noise) OR severity:error
It is possible to include more than one valid value for an attribute. Messages matching either one (OR) are returned:
program:(raid5toolsethtool)
Severity and facility attributes are those from the syslog specification. If severity is a part of the displayed log message, use a text search like error or INFO to find those messages.
Use attributes:
-
To constrain matching to only a single field, either to eliminate false positives or search less data (and increase speed)
-
To search facility or severity, which are not normally examined
Attributes and attribute-less constraints can be used together, and can be combined with negation.
All attributes except message can only have a single value per message, so AND is never relevant. Because of this, all attributes default to OR, as in the program: example above. Program:(a b) means program:(a OR b).
You can use the following operators when searching for attributes:
| Operator: | Search results: |
|---|---|
| key IS EMPTY | all entities without an attribute |
| key IS NOT EMPTY | all entities with an attribute |
| key:value | attribute with an indicated value |
|
key IN (a, b, c) / key:[1, 2, 3] |
attribute's key that is one of the members of the group |
| key NOT in (a, b, c) / key:![1, 2, 3] | attribute's key that is not a member of the group |
The search is not case sensitive.
Change the time period
To change the time period, click the drop-down menu in the upper-right corner and choose how much historical data to display. You can choose to view all recent data for standard lengths of time, or to view data between two dates.
To show data from a custom time period, choose Custom. In the calendar that appears, click the starting date of your time period and click the ending date. The time period's start and end times default to the current time. To change a start or end time, click the clock next to the time you want to change and click the desired time.
Compare with a previous time period
Click the Compare button located next to the time period drop-down menu. This allows you to see both the currently selected time period, as well as a previous time period simultaneously on one chart. There are three options to choose from:
- 60 minutes prior
- 24 hours prior
- 1 week prior
The previous time period is shown on the chart in pink.
View event details
Click an event to open the event details pane. The details pane includes the precise time of the event occurring. Under Event Payload, it also lists all keys and values associated with the selected event.
Click the entity to open the Entity Explorer displaying details of the selected entity.