Filtering and Searching Events

Filter Events

The events feed can be filtered in multiple ways, to drill-down into the environment’s history and refine the events displayed. The feed can be filtered by severity, type, and/or status. Examples of each are shown below.

The example below shows only high and medium severity events:


The example below shows only Kubernetes events:


The example below shows only events that are Unacknowledged:


The Acknowledged label is a purely visual marker, and does not reflect the current state (triggered/resolved) of the event. By default, all events are Unacknowledged.

The example below shows medium severity Alert events that remain Triggered, but have been acknowledged:


Search Events

In conjunction with filters, the event feed can be searched by using the search field on the top bar:


Search Fields

The search terms are used in a fulltext search across the following event fields:

  • Id
  • Name
  • Description
  • Tag values

Additionally, for Alert Events, the following fields are included in the full text search:

  • Alert Condition
  • Alert State
  • Alert Threshold
  • Alert Type
  • Alert Notification Title

Search Syntax

Event search supports the following operators:

  • + signifies AND operation (all the terms have to be in the document)
  • | signifies OR operation
  • - negates a single term
  • " wraps a number of terms to signify a phrase for searching
  • * at the end of a term signifies a prefix query
  • ( and ) signify precedence

The default operator binding together the search terms is OR. Implications of this are shown in the examples.

Example Searches

Container Killed: Match the events containing any search term (Container OR Killed) because the default operator is OR.

Container + Killed: Match the events containing all search terms (Container AND Killed).

"Container Killed": Match the events containing the exact phrase "Container Killed".

Cont*: Match the events containing any term starting with Cont.

"Container + (Killed | Starting)": Match the events containing either the two terms Container and Killed or the two terms Container and Starting

Container -Killed: Match the events that either contain the term Container or do not contain the term Killed. The default operator here is OR.

Container +-Killed: Match the events that contain the term Container but do not contain the term Killed. The query overrides the default OR operator by using an explicit +.