Helpful Hints

You may need a quick reference to common issues that you encounter while using Observe.

Account details

Customer ID

When you log into Observe, your Customer ID is the subdomain of the URL you use to access Observe. Example: 123456789012.observeinc.com

OPAL

Changing a field type

Change the type of an existing field by creating a new one with the desired type. You may keep both fields, or replace the existing one by giving it the same name.

colmake foo:float64(foo)

Customized metric aggregation

Perform common metric aggregation operations with the aggregate verb:

rollup options(buckets:100), cpu_usage:metric("cpu_usage_total", rollup:"rate", type:"cumulativeCounter")
aggregate avg_cpu_usage:avg(cpu_usage), group_by(cluster_uid, node_name, cpu_id)

You can also form more advanced aggregation operations with it as well. For example, create a weighted average using the following code:

rollup options(buckets:100), cpu_usage:metric("cpu_usage_total", rollup:"rate", type:"cumulativeCounter")
colmake weight:case(
  contains(cpu_type, "expensive"), 2.0,
  contains(cpu_type, "normal"), 1.0)
aggregate avg_cpu_usage:avg(cpu_usage * weight), group_by(cluster_uid, node_name)

Filter

Comparisons

filter temperature > 60 and temperature < 80
filter temperature < 30 or temperature > 100
filter hostname="www" or (hostname="api" and user="root")
filter not severity="DEBUG"

Operators vs Functions

Construct expressions with either operators or functions. For example, these two statements are equivalent:

filter abc < 100

filter lt(abc, 100)

if_null

For example, a source error resulted in JSON data with similar values but different key names.

FIELDS
{"data":"abc123"}
{"payload":"def456"}
{"data":"ghi789"}

Use if_null to get the value from payload if there is no value for data. Note that both values must be the same type.

colmake data:if_null(string(FIELDS.data), string(FIELDS.payload))

Performance

Limit your query window to 1 hour or less while actively modeling

By default, worksheets read 4 hours of data. Depending on the input dataset, that can be a lot of data. Consider reducing the query window to 1 hour or less while actively modeling.

Create intermediate event datasets when shaping data

Where possible, create an intermediate event dataset by publishing partially shaped data as a new event dataset. Queries and further derived datasets typically have to read less data than if you create them directly on top of the original input dataset.

This technique is especially effective if the intermediate dataset applies a selective filter to the input dataset, picks only a subset of input columns, or extracts JSON paths from an input column and then drops the original column.

Avoid defining datasets directly on the Observation dataset.

Use options(expiry) to reduce the time range read by make_resource

By default, the make_resource verb reads a large time range of input events: 24 hours. The reason for this behavior is that make_resource must compute the state of each resource at the beginning of the query time range, and, by default, it looks for events up to 24 hours in the past. Thus, a query with make_resource with a query time range of 4 hours actually reads at least 28 hours of input data.

24+ hours can be a lot of data, especially if the input dataset is the Observation dataset. Avoid defining resource datasets directly on the Observation dataset.

Most resource types receive events much more frequently than every 24 hours. Observe recommends adding options(expiry:duration_hr(...)) to your make_resource command to reduce the lookback where appropriate.

For example, if you know that the live instances of some resource dataset receive events at least every 15 minutes, it would be appropriate to set the resource expiration to 1 hour, thereby greatly reducing the amount of data read by make_resource:

make_resource options(expiry:duration_hr(1)), col1:col1, primarykey(pk1, pk2)

Shaping data

Allowed Characters in Field names

In most cases, field (column) names may contain any character except double quote ", period ., or colon :. Underscores are displayed as spaces in the UI.

colmake "ΔT":float64(field3)
colmake "占用率":float64(field4)
colmake "0_3µm":float64(um03)

To reference a field with non-alphanumeric characters in an OPAL statement, use double quotes and prepend @..

colmake temp_difference:@."ΔT"

Regex extracted columns (either Extract From Text or extract_regex) are limited to alphanumeric characters (A-Z, a-z, 0-9).

The following words are reserved by OPAL and you cannot use them as identifiers:

• or

• and

• not

• true

• false

You must enquote them when used as a column name or path segments, for example, `make_col “and”:name.”or”.

Using the Share link

To share a worksheet with someone else, use the Share Worksheet to copy the link to the clipboard. A URL copied from the browser address bar won’t show the same content.

Change the number of results displayed

By default, an events table shows the first 1000 rows of results. You can change the number displayed in the Limit tab of the Table Controls menu.

Hide, show, or reorder columns

Also use Table Controls to hide, show, or change the order of columns displayed. In the Columns tab, click to show or hide, and drag to reorder.

Video instructions