Helpful Hints

Sometimes we have handy little tips that haven’t yet made it to a documentation page. The suggestions here may be updated or moved, if there’s something you are looking for, try Quick Search.

Account details

Customer ID

If you are logged in, your Customer ID is the subdomain of the URL you use to access Observe. Example: 1234567890.observeinc.com

OPAL

Change a field’s type

Change the type of an existing field by creating a new one with the desired type. You may keep both fields, or replace the existing one by giving it the same name.

colmake foo:float64(foo)

Customized metric aggregation

Do common metric aggregation operations with the aggregate verb:

rollup options(buckets:100), cpu_usage:metric("cpu_usage_total", rollup:"rate", type:"cumulativeCounter")
aggregate avg_cpu_usage:avg(cpu_usage), group_by(cluster_uid, node_name, cpu_id)

You can also form more advanced aggregation operations with it as well. For example, create a weighted average with:

rollup options(buckets:100), cpu_usage:metric("cpu_usage_total", rollup:"rate", type:"cumulativeCounter")
colmake weight:case(
  contains(cpu_type, "expensive"), 2.0,
  contains(cpu_type, "normal"), 1.0)
aggregate avg_cpu_usage:avg(cpu_usage * weight), group_by(cluster_uid, node_name)

Filter

Comparisons:

filter temperature > 60 and temperature < 80
filter temperature < 30 or temperature > 100
filter hostname="www" or (hostname="api" and user="root")
filter not severity="DEBUG"

Operators vs functions:

Construct expression with either operators or functions. For example, these two statements are eqivalent:

filter abc < 100

filter lt(abc, 100)

ifnull

Example: A source error resulted in JSON data with similar values but different key names.

FIELDS
{"data":"abc123"}
{"payload":"def456"}
{"data":"ghi789"}

Use ifnull to get the value from payload if there is no value for data. Note: both values must be the same type.

colmake data:ifnull(string(FIELDS.data), string(FIELDS.payload))

Performance

Limit your query window to 1 hour or less while actively modeling

By default, worksheets read 4 hours of data. Depending on the input dataset, that can be a lot of data. Consider reducing the query window to 1 hour or less while actively modeling.

Create intermediate event datasets when shaping data

Where possible, create an intermediate event dataset by publishing partially shaped data as a new event dataset. Queries and further derived datasets will typically have to read much less data than if they were created directly on top of the original input dataset.

This technique is especially effective if the intermediate dataset applies a selective filter to the input dataset, picks only a subset of input columns, or extracts JSON paths from an input column and then drops the original column.

Avoid defining datasets directly on the Observation dataset.

Use options(expiry) to reduce the time range read by make_resource

By default, the make_resource verb reads a large time range of input events: 24 hours. The reason for this behavior is that make_resource must compute the state of each resource at the beginning of the query time range, and, by default, it looks for events up to 24 hours in the past. Thus, a query with make_resource that has a query time range of 4 hours actually reads at least 28 hours of input data.

24+ hours can be a lot of data, especially if the input dataset is the Observation dataset. So especially avoid defining resource datasets directly on the Observation dataset.

Most resource types receive events much more frequently than every 24 hours. We recommend adding options(expiry:duration_hr(...)) to your make_resource command to reduce its lookback where appropriate.

For example, if it is known that the live instances of some resource dataset receive events at least every 15 minutes, it would be appropriate to set the resource expiration to 1 hour, thereby greatly reducing the amount of data read by make_resource:

make_resource options(expiry:duration_hr(1)), col1:col1, primarykey(pk1, pk2)

Shaping data

Field name allowed characters

In most cases, field (column) names may contain any character except double quote ", period ., or colon :. Underscores are displayed as spaces in the UI.

colmake "ΔT":float64(field3)
colmake "占用率":float64(field4)
colmake "0_3µm":float64(um03)

To reference a field with non-alphanumeric characters in an OPAL statement, use double quotes and prepend @..

colmake temp_difference:@."ΔT"

Regex extracted columns (either Extract From Text or extract_regex) are limited to alphanumeric characters (A-Z, a-z, 0-9).

UI

Supported web browsers

Observe works best with the latest versions of Chrome, Edge, Firefox, and Safari.

“use_🔗_to_share” URLs

To share a worksheet with someone else, use the Share Worksheet button Share Worksheet button to copy the link to the clipboard. A URL copied from the browser address bar won’t show the same contents.

Change the number of results displayed

By default, an events table shows the first 1000 rows of results. You can change the number displayed in the Limit tab of the Table Controls menu.

Max Results dialog in the Table Controls menu

Hide, show, or reorder columns

Also use Table Controls to hide, show, or change the order of columns displayed. In the Columns tab, click to show or hide, and drag to reorder.

Video instructions

Bookmarks

Use the the Bookmark button to save the current dataset as a bookmark:

Open the Bookmark popup to find the Create Bookmark button.

New bookmarks are private to each user, make them public to be accessible by other users. You may also arrange them in folders.

Private bookmark with open menu showing Rename, Move to, Make Public, and Delete options.