Filter and Search Events

Filter Events

The events feed can be filtered in multiple ways, to drill down into the environment’s history and refine the events displayed. The feed can be filtered by severity, type, and/or status. Examples of each are shown below.

The example below shows only high and medium severity events:


The example below shows only Kubernetes events:


The example below shows only events that are Acknowledged:


The Acknowledged label is a purely visual marker, and does not reflect the current state (triggered/resolved) of the event. By default, all events are Unacknowledged.

The example below shows medium severity Alert events that remain Triggered, but have been acknowledged:


Search Events

In conjunction with filters, the event feed can be searched by using the search field on the top bar:


Search Fields

The search terms are used in a fulltext search across the following event fields:

  • ID
  • Name
  • Description
  • Tag Values

Additionally, for Alert Events, the following fields are included in the full text search:

  • Alert Condition
  • Alert State
  • Alert Threshold
  • Alert Type
  • Alert Notification Title

Search Syntax

Event search supports the following operators:

  • + signifies AND operation (all the terms have to be in the document)
  • | signifies OR operation
  • - negates a single term
  • " wraps a number of terms to signify a phrase for searching
  • * at the end of a term signifies a prefix query
  • ( and ) signify precedence

The default operator binding together the search terms is OR. Implications of this are shown in the examples.

Example Searches

Container Killed: Match the events containing any search term (Container OR Killed) because the default operator is OR.

Container + Killed: Match the events containing all search terms (Container AND Killed).

"Container Killed": Match the events containing the exact phrase "Container Killed".

Cont*: Match the events containing any term starting with Cont.

"Container + (Killed | Starting)": Match the events containing either the two terms Container and Killed or the two terms Container and Starting

Container -Killed: Match the events that either contain the term Container or do not contain the term Killed. The default operator here is OR.

Container +-Killed: Match the events that contain the term Container but do not contain the term Killed. The query overrides the default OR operator by using an explicit +.