Unresolved Incident Query¶
Before querying, please refer to the field descriptions for df_monitor_checker_event_ref, df_fault_id, df_status, and df_fault_status in the Event Related Field Descriptions.
1. Query Entry¶
2. Query Statement¶
Method 1: Query using having clause (Suitable for Doris engine) can directly get results¶
Query Structure¶
{
"queries": [
{
"qtype": "dql",
"query": {
"disableMultipleField": False,
"q": "E::`monitor`:(`__docid`, `df_title`,`df_monitor_checker_event_ref`, `df_fault_id`, `df_status`, `df_fault_status`,`df_fault_start_time`, `df_event_id`) { df_monitor_checker_event_ref = exists() } by `df_monitor_checker_event_ref` having df_fault_status = 'fault' sorder by create_time desc",
"timeRange": [
1724320359294,
1724323959294
],
"align_time": True,
// Specify to disable sampling for this query
"disable_sampling": True,
// Specify the number of groups to get, i.e., 100 unresolved incidents
"slimit": 100,
"tz": "Asia/Shanghai"
},
}
]
}
Method 2: Query without having clause (Non-Doris engine) requires filtering¶
Query Structure¶
{
"queries": [
{
"qtype": "dql",
"query": {
"disableMultipleField": False,
"q": "E::`monitor`:(`__docid`, `df_title`,`df_monitor_checker_event_ref`, `df_fault_id`, `df_status`, `df_fault_status`,`df_fault_start_time`, `df_event_id`, `create_time`) { df_monitor_checker_event_ref = exists() } by `df_monitor_checker_event_ref` sorder by create_time desc",
"timeRange": [
1724320359294,
1724323959294
],
"align_time": True,
# Specify to disable sampling for this query
"disable_sampling": True,
# Specify to get 1000 triggering objects
"slimit": 1000,
"tz": "Asia/Shanghai"
},
}
]
}
Filter the DQL Query Results¶
Filter the df_fault_status status in the query results to filter out incidents where df_fault_status=fault. At this point, this data is the list of unresolved incidents.
Final Output¶
Sort the data in descending order based on the time field to get the final list of unresolved incidents.
3. How to Confirm the Storage Engine Type for Events in the Current Workspace¶
Get Workspace Storage Information via API¶
The response from the interface contains datastore which stores the storage engine types for all basic data in the current workspace (excluding external indexes). If the value of keyevent in datastore is doris, it indicates that the event data uses the doris storage engine.
Interface return result is as follows
{
"code": 200,
"content": {
"id": 1,
"uuid": "wksp_xxxxx",
"name": "[Doris] Workspace Name",
"versionType": "pay",
// ......
"datastore": {
"backup_log": "doris",
"custom_object": "doris",
"keyevent": "doris", // Check the value corresponding to keyevent here. If it is doris, it indicates a doris type storage engine
"logging": "doris",
"metric": "guancedb",
"network": "doris",
"object": "doris",
"object_history": "doris",
"profiling": "doris",
"rum": "doris",
"security": "doris",
"tracing": "doris"
},
// ......
},
"errorCode": "",
"message": "",
"success": true,
"traceId": "2956247345653191101"
}