Pro tip: creating DQL filters faster in Security Investigator

Tiit_Hallas — Tue, 12 Nov 2024 11:18:23 GMT

When fetching logs and events from Grail, it is usually needed to create additional filters based on your results. To do it faster, Security Investigator has a bunch of "hidden gems" that allow Engineers to drill into their data in a much faster and flexible way.

Filtering by multiple values

If you hold down the shift key on your keyboard and click on fields, you can select multiple fields in the same column. By right-clicking on them and choosing "Filter out", all the unique values are gathered from the selected fields and are added to the filtering statement:

Partial filtering

It is not always the full content of the field that you would want to filter by. This is why it is possible to create values from only a portion of the field value. By selecting only some of the value and choosing "Filter for", the filter statement will look only for the selected part.

Filtering by timestamps

If you find an error message from your logs, you might want to see, what happened around that error (or before.. or after it). This is why it is possible to create quick timestamp filters from the context menu. By choosing "Timestamp filters", you can see different filters provided for timestamps, including "Around 5 seconds", which will add the following filter to the query:

| filter timestamp >= toTimestamp("2024-11-12T10:47:45.000000000Z")-5s and timestamp <= toTimestamp("2024-11-12T10:47:45.000000000Z")+5s

Statistical filters

When selecting multiple numerical values, it is possible to create filters based on statistical values, for example: by the maximum number from the selection.

topic Pro tip: creating DQL filters faster in Security Investigator in Dynatrace tips

Pro tip: creating DQL filters faster in Security Investigator