Skip to content

Exploring data in EraSearch's UI

Estimated time to read: 5 minutes

Acquisition notice

In October 2022, ServiceNow acquired Era Software. The documentation on this site is no longer maintained and is intended for existing Era Software users only.

To get the latest information about ServiceNow's observability solutions, visit their website and documentation.

EraSearch's UI helps you view, explore, and query your log data. On this page, you'll learn how to:

  • Access the UI
  • View and explore data based on time and other filters
  • Search data using basic query syntax

This content is intended for engineers and developers using EraSearch on EraCloud. If you haven't already, get started with an EraCloud account and learn the basics.

Before you begin

The examples on this page use the sample data below. If you'd like to follow along, feel free to write the data to your database.

{"index":{"_index":"customers"}}
{"customer.firstname":"lian","dog.name":"spot","_line":"account pending","treats":3,"_ts":1635037200000}
{"index":{"_index":"customers"}}
{"customer.firstname":"lilly","cat.name":"whiskers","_line":"account verified","treats":2,"_ts":1635040800000}
{"index":{"_index":"customers"}}
{"customer.firstname":"lele","dog.name":"chewy","_line":"account verified","treats":5,"_ts":1635044400000}
{"index":{"_index":"customers"}}
{"customer.firstname":"lillie","dog.name":"tofu","_line":"account pending","treats":6,"_ts":1635048000000}
{"index":{"_index":"customers"}}
{"customer.firstname":"lily","dog.name":"mabel","_line":"account verified","treats":1,"_ts":1635051600000}
{"index":{"_index":"customers"}}
{"customer.firstname":"linus","dog.name":"wolfie","_line":"account pending","treats":2,"_ts":1635058800000}
{"index":{"_index":"customers"}}
{"customer.firstname":"liz","dog.name":"floof","_line":"account verified","treats":8,"_ts":1635058800000}
{"index":{"_index":"customers"}}
{"customer.firstname":"lilly","dog.name":"olaf","_line":"account verified","treats":4,"_ts":1635058800000}

Access EraSearch's UI

To access the UI, sign in to your EraCloud account and click search icon. By default, the UI displays all data written in the past 15 minutes.

Select time ranges

Use the UI to explore data within specific time ranges. For example, you can view data from the past five minutes, the past month, or between specific dates.

Follow these steps to view the sample data from October 24, 2021:

  1. In the UI, make sure you've selected customers under Index.
  2. Click Past 15 min (UTC) > Custom and enter these dates in the FROM and TO inputs:
    • 2021-10-24 00:00:00
    • 2021-10-24 08:00:00
  3. Press enter to view the eight documents organized by time.

You can also view specific time ranges by selecting parts of the chart:

Click and drag to select time ranges

Select indexes

To view data in specific indexes, select and unselect the checkboxes under Index.

If you want to view data in one index, click the index name to select only that index. For example, click customers (not its checkbox) to select the index and unselect every other index.

EraSearch's UI has several features to help you learn about your data with a few clicks.

In the UI, click any document to open the Log viewer. The Log viewer shows the document's fields in tabular and JSON format.

Next, in the Log viewer, click See in context to open a new tab. The new tab shows documents with timestamps up to five minutes before the selected document.

Generate queries

If you're exploring your data or learning the syntax, the UI can generate queries for you. To generate queries, select the different indexes and field values in the UI.

Follow the steps below to see an example of a generated query. The query searches for data where customers.firstname is lilly and cat.name isn't whiskers:

  1. Make sure you've selected customers under Index.
  2. Under customers.firstname, click lilly > Show matching.
  3. Under cat.name, click whiskers > Hide matching.
  4. View the generated query in the search box, and view the one returned document.

To reset the UI, delete the query from the search box and press Enter.

Enter custom queries

EraSearch supports most of Elasticsearch's query-string syntax. Use the same syntax to enter custom queries in the UI, and explore data based on keywords, ranges, booleans, and wildcards.

Here's an example of a custom query on the sample data:

customer.firstname:l?l* AND _line:verified AND _exists_:dog.name AND treats: > 1

When you enter it in the UI, the query returns these documents:

{"customer.firstname":"lilly","dog.name":"olaf","_line":"account verified","treats":4,"_ts":1635058800000}
{"customer.firstname":"lele","dog.name":"chewy","_line":"account verified","treats":5,"_ts":1635044400000}

The sections below break down that example into subqueries and highlight query syntax essentials.

Querying with wildcards

customer.firstname:l?l*

This subquery uses wildcards, where ? indicates one character and * indicates zero or more characters. When you run the subquery on the sample data, it captures these variations of lilly in the customer.firstname field: lilly, lily, lillie, and lele.

Querying keywords

_line:verified

This subquery searches for keywords in the data. When you run the subquery on the sample data, it returns five documents where _line contains verified.

Note that the subquery uses verified instead of account verified. That substring search is possible because EraSearch auto-parses _line values into distinct strings. For example, EraSearch stores the _line value "health check" as ["health","check"]. By default, EraSearch doesn't auto-parse the values of other field keys such as line or _logline.

Querying fields with non-null values

_exists_:dog.name

The _exists_:dog.name subquery searches for documents where a specific field key has non-null values.

In this case, EraSearch returns documents if dog.name has a value (such as olaf) or an empty string "". EraSearch omits documents if dog.name doesn't appear in the document or if dog.name is set to null.

Querying ranges

treats: > 1

The treats: > 1 subquery searches for a specific numerical range in the data. When you run this subquery on the sample data, it returns seven documents where the number of treats is greater than one.

Here are some more examples of querying with ranges:

  • treats:[1 TO 2] - Return documents where the treats field key has values between one and two.
  • dog.name:[spot TO wolfie} - Return documents where the dog.name field key has values between spot and wolfie, not including wolfie.

Reserved characters

When querying field values with reserved characters, either escape the characters with a backslash (\) or wrap the values in quotes.

In EraSearch, reserved characters are: !, (, ), {, }, [, ], ^, ", ~, *, ?, :, /,\ and .

Examples

Request ClientRequestPath values starting with https:era.co/docs/write-data:

ClientRequestPath:https\:era.co\/docs\/write-data*

Request a hikes value that has a space:

hikes: spruce\ trail
Or 
hikes: "spruce trail"

Next steps

To learn more about the query syntax, visit Elasticsearch's Query-string syntax documentation. To write your own data to EraSearch, visit Writing bulk data and the guides on Cloudflare, Fluentd, and Vector.

Last update: August 7, 2023