Free Edition Interface
5 minute read
Now that you have a Free Edition agent daemonset running in your cluster, you can start observing your environment. The Free Edition interface has three main sections:
View the Environment
You view the Dashboards - Kubernetes page for an overview of the Kubernetes components that are being monitored by an agent.
It displays a graphical representation of the monitoring plane with the largest circle being the Edge Delta Agent daemonset. The bigger the circle, the more logs the component is generating. Negative findings are indicated with a red circle. You can click each component to filter on it. You can also expand the Filters pane to group and filter the data that the page shows.
If any negative patterns or other insights are detected they appear on this page and are also filtered when you apply a filter.
View Monitoring Intelligence
You use the Logs - Patterns page to view information about patterns that have been discovered. The Edge Delta agent uses a proprietary algorithm to automatically detect repeated patterns in log messages. This allows it to optimize data by reporting patterns and their frequency rather than streaming the full log messages.
Every pattern detected by the Edge Delta agent is also analyzed for negative sentiment. Negative sentiment is determined in part by checking for the presence of specific keywords in the pattern such as error, exception, fail, etc. If any negative patterns or findings have been detected, you can hover over the graph to view the pattern.
You click the pattern to view more details including the pattern timeline, the raw data in the pattern, and the parsing rule that was triggered. You can right click the raw data log and select Show in Context to view the log.
You can view intelligence on detected anomalies on the Logs - Anomalies page. Edge Delta automatically detects anomalies in observability data, in individual agents as well as in aggregate on the backend.
You can click the log in the pattern list to see more information. The Anomaly Detection page provides a more detailed discussion about Findings.
Search for Logs
All raw logs are sent to an Amazon S3 bucket and saved for seven days. You can search for specific logs using the Logs - Search page. You enter either a keyword search or you can specify a SQL search and you can limit the search scope by applying a filter. For example you can limit the search to specific clusters, namespaces and workloads. After running a search, you can further filter your results using the second search box in the results area.
Basic Search Syntax
You can refine your search query using familiar search operators such as quotation marks and OR when using the basic search.
You can search for logs that must contain two or more specific keywords. The default behavior of the search engine when you leave a space between keywords is search for only logs with both words. Logs that contain both these words in any field and in any order are returned. Consider the following search string:
All logs that contain both of these words are returned, such as the following:
failed password for invalid user postgres
To further refine your search, you can wrap your search string in quotation marks. This makes the search treat the string explicitely and it only returns exact matches. Bear in mind wrapping a search string in quotes enforces case sensitivity.
If you need to search log contents that contain a search operator such as a bracket
) or the word
OR, you can wrap them in quotation marks to be treated explicitely as search terms and not search operators. The asterisk cannot be treated explicitely using quotation marks because it is used to extend exact matches. See the Wildcard section.
You can add an exclusion to your search string to ignore certain logs using the minus parameter. This search looks for failed HTTP processing requests except those that contain the word GET:
"Failed Processing HTTP request" -GET
You can search for alternative words using the OR operator to return results for either of the search keywords, but not necessarily both of them. If you want to specify alternative phrases you must wrap the phrase in quotation marks.
"invalid user" OR "user unknown"
This example will return all logs that contain the phrase
invalid user as well as any logs that contain
You can use an asterisk character as a wildcard to return a wider set of results. A wildcard is only useful when you are searching within quotation marks to extend an exact match. For example,
"statusCode=*04" will return both
404 logs. Without quotation marks, the wildcard is implied. For example,
post will return
POST as well as
Processing Precedence with Brackets
By default the search engine will process search strings with more than one operator in the following order:
- Exact Match
For example, given the following search string:
one two OR three
Two types of logs will be returned:
- any logs containing both
- any logs containing
three, including those without any incidence of
You can adjust the processing order of precedence using brackets just the same as in mathematical equations. For example, given the following search string:
one (two OR three)
The logs returned will all contain a
one. In addition they will all either contain a
two or a
The Admin - Clusters page lists the agents you have installed and you can add more agents for additional clusters or remove configurations for agents you no longer have installed in your cluster.
To uninstall the agent from your cluster run
helm uninstall with the release name and the namespace on the host.
helm uninstall edgedelta -n edgedelta
You click the Help button to open the Help Center. You can use the Help Center or email to contact support.