Skip to main content

Searching

Metric search uses the native IRONdb time-series database search syntax. This move empowers the Circonus UI to make use of all of IRONdb's powerful tagging support.

If you are supplying stream tags on the metrics you submit, you can search on them using an expression that matches one or more tags. Expressions may be a literal category:value for exact matches, a regular expression, or a glob (wildcard) match string. You can use different types of expressions for the category versus the value, as well (see below).

Pattern Expressions

Patterns can be used in the category or the value, or both.

Regular Expression Patterns

Regular expressions follow the Perl-Compatible Regular Expression, v2 (PCRE2) syntax, and are enclosed in / /:

  • /category regex/:/value regex/

Glob Patterns

Glob patterns use * as a wildcard, and can be used as prefix or suffix completers or to identify a substring match:

  • categ*:value
  • category:val*
  • *egory:*alu*

Logical Operators

Matching tags may be added to or excluded from the result set based on the Boolean operators and, or, and not.

Both and and or accommodate a single expression as well as a comma-separated list of expressions:

QueryDescription
and(foo:bar)exactly foo:bar
and(foo:bar,baz:quux)all of foo:bar and baz:quux
or(foo:bar,baz:quux)any of foo:bar or baz:quux

The not operator may only contain a single expression:

  • not(other:thing)

Operators can also be grouped for more complex queries:

  • and(and(*:thing),not(other:thing)) : All things except other:thing

Built-In Tags

There is a set of synthetic, "built-in" tag categories that appear for all metrics, regardless of whether they were submitted with any other tags:

CategoryDescription
__activityRange of time for which metrics are desired
__check_brokerName of the broker on which the check runs
__check_bundle_idID of the check_bundle
__check_idID of the check
__check_moduleName of the broker module that implements the check type
__check_nameName of the check
__check_targetTarget of the check
__check_uuidUUID of the check
__nameMetric name

Tag Search Examples

Basic Examples

QueryDescription
and(app:myapp)Category is app, value is myapp
and(region:us-east-*)Category is region, value starts with us-east-
not(env:dev*)Elide tags where category is env and value starts with dev

Using the Built-In Categories

QueryDescription
and(__check_broker:Chicago, IL, US)All metrics on all checks that run on the broker "Chicago, IL, US"
and(__check_bundle_id:1234)All metrics on all checks in the check bundle 1234
and(__check_id:5678)All metrics on check ID 5678
and(__check_module:json)All metrics on all checks that use the json module/type
and(__check_name:My Check)All metrics on all checks named "My Check"
and(__check_target:myhost.example.com)All metrics on all checks having the target myhost.example.com
and(__check_uuid:c0702928-5242-4939-a23c-b3fb5902b8a1)All metrics on the check whose UUID is c0702928-5242-4939-a23c-b3fb5902b8a1
and(__name:foo)All metrics named foo

Regular Expression Examples

QueryDescription
and(app:/^(my|your)app$/)The value begins with my or your, followed by app
and(region:/^eu-west-[12]$/)Value is eu-west-1 or eu-west-2
not(env:/^dev/)Elide tags where category is env and value starts with dev

Combining Expressions Examples

QueryDescription
or(__name:foo,__name:/^bar/)Metric name is either foo or something that starts with bar
and(app:myapp,env:stage)Has both app:myapp and env:stage
or(and(app:myapp,env:prod),and(app:yourapp,env:stage))Has both app:myapp and env:prod or has both app:yourapp and env:stage
and(and(app:myapp),not(env:dev))Has app:myapp but does not have env:dev
and(__check_id:5678,app:myapp)Metric is part of check 5678 and is tagged app:myapp
and(__check_bundle_id:1234,app:*)Metric is part of check_bundle 1234 and is tagged in the app category

Object search takes place in our Postgres database and makes use of the pg_trgm module and the concept of similarity. When you search for an item like "foo", Circonus sends that term to the DB and asks for items with a similar name. You can still use wildcards; for example, if you search for "foo*", Circonus instead sends a like query for anything starting with foo.

This similarity means that if we have an item with the title "Foobar" and we search for "foo", our title is similar enough to match. However, if our title is "Foobar server statistics", searching for just "foo" is not similar enough due to the extra bits that don't match, so here we would want to search for "foo*". Details on how this similarity works are at the end of this section.

Basic Search Examples

Search for names similar to the word "foo":

foo

Search for the exact name "foo"

"foo"

Search for names beginning with "foo":

foo*

Search for names that contain "foo" either at the start, end, or in the middle:

*foo*

Search for names similar to "foo bar":

foo bar

Search for a specific IP or hostname:

"192.168.1.1"
"www.circonus.com"

Search for names that contain "foo" followed by "bar" but with possible other items in between:

"*foo*bar*"

Narrowing Search Using Specific Terms

There will be times where you want to narrow your search by providing additional details, like a check type, or a broker name, etc. To accomplish this, each item has a list of fields that you can specify in parenthesis to refine searches. Some examples of this would include:

Search for a check with the name like foo on the Ashburn broker:

foo (broker:Ashburn*)

If needed, you can narrow by multiple items separated by a comma:

foo (tags:os:linux,datacenter:ashburn)

If the term you want to search on has a comma in it, to prevent the system from treating that as a list wrap the term in quotes:

foo (name:"name, with comma")

Default Search Field and Available Terms

Below is a list of objects that can be searched, what the primary field is we search on, and a list of all available terms to further refine the search.

Alerts

TermTypeDescriptionPrimary Field
host / targetstringThe host the metric is from*
name / check_namestringName of check
metric / metric_namestringName of the metric
type / modulestringThe type of check (http, json, etc.)
brokerstringName of the broker
activeboolean (0,1)If the alert is cleared or not
acknowledgedboolean (0,1)If the alert is acknowledged or not
tagsstringTags associated with this object
event_criteria_idintegerThe ID of the ruleset or ruleset group which triggered the alert

Annotations

TermTypeDescriptionPrimary Field
titlestringAnnotation title*
descriptionstringAnnotation description
categorystringAnnotation category
start_on_epochintegerEpoch seconds start on (>=)
stop_on_epochintegerEpoch seconds stop on (<=)

Checks

TermTypeDescriptionPrimary Field
name / check_namestringName of check*
check_uuidstringUUID of an individual check
check_bundle_idintegerID of the check bundle the check is in
type / modulestringThe type of check (http, json, etc.)
host / targetstringThe host the check runs on / against
brokerstringName of the broker the check is on
activeboolean (0,1)If the check is currently active
tagsstringTags associated with this object

Checks Bundles (API-Only)

TermTypeDescriptionPrimary Field
name / check_namestringName of check bundle*
type / modulestringThe type of check (http, json, etc.)
host / targetstringThe host the check runs on / against
activeboolean (0,1)0 = bundle has no active checks, 1 = bundle has at least one active check
tagsstringTags associated with this object

Contact Groups

TermTypeDescriptionPrimary Field
namestringName of contact group*
tagsstringTags associated with this object

Graphs

TermTypeDescriptionPrimary Field
titlestringGraph title*
descriptionstringGraph description
notesstringGraph notes
tagsstringTags associated with this object

Maintenance Windows

TermTypeDescriptionPrimary Field
maintenance_itemstringThe name of the "thing" in maintenance, i.e. the metric name, host, etc.*
typestringThe type of thing in maintenance (host, check, account, metric)
notesstringNotes on the maintenance window
tagsstringTags associated with this object

Metric Clusters

TermTypeDescriptionPrimary Field
namestringName of cluster*
descriptionstringDescription of the metric cluster
tagsstringTags associated with this object

Rulesets

TermTypeDescriptionPrimary Field
metric_namestringName of the metric this ruleset is tied to*
check_name / namestringName of check
host / targetstringHost the metric is for
brokerstringName of the broker
type / modulestringThe type of check (http, json, etc.)
check_idintegerID of the check
check_bundle_idintegerID of the check bundle
activeboolean (0,1)If the metric is currently being collected
active_checkboolean (0,1)If the check the metric was collected from is currently active
tagsstringTags associated with this object

Ruleset Groups

TermTypeDescriptionPrimary Field
namestringName of ruleset group*
tagsstringTags associated with this object

Templates

TermTypeDescriptionPrimary Field
namestringName of template*
master_host / host / targetstringMaster host of template
notesstringNotes on template
tagsstringTags associated with this object

Worksheets

TermTypeDescriptionPrimary Field
titlestringTitle of worksheet*
descriptionstringDescription of worksheet
notesstringNotes on worksheet
tagsstringTags associated with this object

Filtering Search Results with Tags

Circonus also allows you to use tags to filter your search results in the same way you would refine the search using a specific term as above.

For example, to search for items with the word "foo" that are tagged with "application:bar", you would enter the following search terms:

foo (tags:application:bar)

To filter your search results using multiple tags, separate the tags with commas (,). For example:

foo (tags:application:bar,os:omnios)

How Similarity Works

As stated above, the default analysis for a search result is how similar it is to a search term on the primary field. This boils down to how many of the trigrams (groups of 3 characters) made from this term match the trigrams of the term we are matching.

For example, let's assume we are using the search term "foo", and searching for 2 checks, one simply called "foobar", and the other called "foobar host stats". Note that Circonus search is case insensitive, so examples will be in lower case.

First, this is what the trigrams for the terms look like:

circonus=> select show_trgm('foo');
        show_trgm
-------------------------
 {"  f"," fo",foo,"oo "}
circonus=> select show_trgm('foobar');
              show_trgm
-------------------------------------
 {"  f"," fo","ar ",bar,foo,oba,oob}
circonus=> select show_trgm('foobar host stats');
                                          show_trgm
---------------------------------------------------------------------------------------------
 {"  f","  h","  s"," fo"," ho"," st","ar ",ats,bar,foo,hos,oba,oob,ost,"st ",sta,tat,"ts "}

Now that we've broken down our terms, we need to compare their trigrams. In order for us to say a term is similar enough to return it in a search, the two trigrams have to have a 30% similarity.

So matching foo on itself we can see that it is a 100% match:

circonus=> select similarity('foo', 'foo');
 similarity
------------
          1

And if we look at foo compared to foobar, we see they are similar enough to match:

circonus=> select similarity('foo', 'foobar');
 similarity
------------
      0.375

However, when we look at foo vs foobar host stats, we cross the edge of similarity due to the extra characters in the name:

circonus=> select similarity('foo', 'foobar host stats');
 similarity
------------
   0.157895

So while you might expect foobar host stats to match because it starts with foo, it didn't because it wasn't similar enough. In this case you have two options, first would be to simply add a to your search to pull everything starting with foo, or if you still wanted to only get items that are similar, just add more of the string you want.

circonus=> select similarity('foobar', 'foobar host stats');
 similarity
------------
   0.388889

or

circonus=> select similarity('foobar host', 'foobar host stats');
 similarity
------------
   0.666667

Check Types

Some check types are shortened in the UI for brevity or to make it clearer what is being checked. The below table translates what the UI shows to how the type is stored in the database.

UI NameSearch Name
apachehttp:apache
cimcim
cloudwatchcloudwatch
collectdcollectd
compositecomposite
couchdbjson:couchdb
dcmdcm
dhcpdhcp
dnsdns
elasticsearchelasticsearch
externalexternal
ga:campaignsgoogleanalytics:m2
ga:contentgoogleanalytics:m3
ga:ecommercegoogleanalytics:m4
ga:eventsgoogleanalytics:m7
ga:goalsgoogleanalytics:m6
ga:searchesgoogleanalytics:m5
ga:visitorsgoogleanalytics:m1
gangliaganglia
haproxyhaproxy
httphttp
http_testhttp_test
httptraphttptrap
imapimap
jmxjmx
jsonjson
keynotekeynote
keynote_pulsekeynote_pulse
ldapldap
memcachedmemcached
momentumsnmp:momentum
momentumec_console
mongodbjson:mongodb
mssqlsqlserver
muninmunin
mysqlmysql
newrelicnewrelic_rpm
nginxnginx
nodeagentjson:nad
nodewindowsagentcirconuswindowsagent:nad
nrpenrpe
ntpntp
oracleoracle
pingping_icmp
pop3pop3
postgrespostgres
rabbitmqrabbitmq
redisredis
resmonresmon
riakjson:riak
selfcheckselfcheck
smtpsmtp
snmpsnmp
snmptrapsnmptrap
ssh2ssh2
statsdstatsd
tcptcp
varnishvarnish
vmwarevmware
windowscirconuswindowsagent

Advanced Search Builder

The advanced search builder tool exists to help with learning how the new Search (v2) works. On supported pages, after expanding the search field you will see an "advanced" button to the right of the search field. Clicking this will expand the advanced search builder which will help you learn how to construct advanced search queries. Image: &#39;Advanced_Search_Builder2.png&#39;

Within the primary field, you may use quotation marks for exact matching ("foo"), wildcard asterisks for substring matching (foo, foo, or foobar*), or plain text for trigram matching.

Within the non-primary fields, only exact matching and substring matching is supported. Note that your non-primary field entries will be automatically wrapped in quotation marks if you don't use wildcards.