For full text search please use the '?' prefix. e.g. ? Onboarding

Coralogix

Coralogix is an observability platform built on streaming analysis of ingested data on their proprietary Streama. They bill their processing model as "proactive" (ingest, analyse, then index) vs legacy "reactive" (ingest, index, then analyse).

Key features:

  • Direct access to SRE-trained engineers for help getting value out of the platform.
  • Data retention is customer-controlled, since:
    • Data is stored in Parquet format in customer-owned S3 bucket.
    • Not all events need to be indexed.
  • Anomaly detection.
  • Keen to avoid lock-in:
    • Hosted OpenSearch and Grafana in addition to their own UI.
    • Hosted Jaegar too?
  • Pricing based on data ingest, not users/alert configurations.
  • Tree, flame graph, and Gantt/waterfall view of traces

Concepts

  • Applications are the top-level services that are being instrumented/monitored.
  • Subsystems are individual components of them, such as individual microservices.
  • Versions are versions of either the subsystems or the parent applications.
  • Dashboards visualise metrics.
  • Logs are searchable with either Lucene or DataPrime.
    • Log Templates define patterns for grouping related logs.
    • Frequent Search vs All Logs for searching un-indexed logs.
  • Actions allow user-defined navigation, around Coralogix and between tools.
  • Alerts notify operators about error conditions:
    • Flow alerts allow modelling sequences of events based on other queries.
  • Regions are the physical locations of the data, and can be derived from the domain.
  • Parsing rules extract structured data from unstructured data. They can be used to drop, transform, parse, or extract fields from logs.
    • Parse replaces an unstrucutured text event with a JSON document comprising named capture groups from a regular expression.
    • Extract operates like Parse, but retains the original event.
    • JSON Extract
    • Replace Rule
    • Block
    • Timestamp Extract
    • Remove Fields
    • Stringify JSON Field
    • Parse JSON Field

Logs

DataPrime is a pipe-based language for data analysis, with an interface similar to Azure's Kusto.

  • top 10 $column by count()
  • enrich $x into $y using $z

Alerts

Note that new alerts and modified alert conditions don't take effect for up to 15m, as configuration changes needs to be applied to the streaming analytics engine.

Automation options

Children
  1. Conventions