Filtering in Instana

Instana offers a filtering tool to help you focus on the most relevant data during monitoring and troubleshooting.

Overview

Dynamic Focus Queries (DFQs) and Tag Filter Expressions (TFEs) are the two primary methods. Each serves similar purposes but is designed to meet different user needs. DFQs offer flexibility and cross-context capabilities, making them suitable for detailed insights orchestrated across different data stores. TFEs are more accessible for quick, context-specific filtering, making them ideal for an intuitive tag-based approach. For more information, see Dynamic Focus Queries and Tag Filter Expressions.

Dynamic Focus Queries (DFQs)

DFQs are a keyword-based query method in Instana that you can use to filter on specific entities such as metrics or traces. DFQs also support selecting entities across different contexts in Instana's Dynamic Graph, making them highly flexible, but potentially complex and slower.

DFQ supports the three following types of contexts (and filters):

  • Infrastructure (entity.*)
  • Applications (entity.application.*, entity.service.*, entity.endpoint.*)
  • Events (events.*)

Tag Filter Expressions (TFEs)

TFEs are more intuitive, particularly for less experienced users. TFEs are tag-based and focus on filtering and grouping data within a single context. They benefit from enrichment that is made at ingest time, allowing for quicker, and more streamlined searches.

Comparing DFQs and TFEs

The following table outlines the comparison between DFQs and TFEs:

Table 1. Comparison between DFQs and TFEs
Feature DFQs TFEs
Use case Ideal for detailed and multi-context searches. Suitable for filtering data within a single context.
Best place to explore Infrastructure Map Analytics
Coverage Infrastructure, Applications, Events (excluding Synthetics, EUM, Logs, and BizOps). Everything except Events.
More details Learn more about DFQs Learn more about TFEs

Using DFQs and TFEs

You can use DFQs and TFEs to filter out the required data.

Accessing filters

  • DFQs: You can accsee DFQs by using the filter icon or Add Filter option in any dashboard or page in the Instana UI where data is displayed.
  • TFEs: You can access TFEs from the analytics sections of Instana, such as Service or Infrastructure Analysis.

Create a query or expression

You can create query for DFQs and TFEs.

Creating a query or expression for DFQs

  1. Select Metrics/Traces: Choose the data that you want to filter.
  2. Define Conditions: Set up your text-based or keyword-based conditions (for example, response time > 500 ms, serviceName contains 'checkout').
  3. Apply Filter: Update your view to reflect the filtered data.

Creating a query or expression for TFEs

  1. Select Tags: Choose from predefined tags that correspond to various attributes of your entities (for example, services and endpoints).
  2. Add Conditions: Apply filter conditions and groupings based on these tags.
  3. Apply Expression: Instana filters the data within the context of the selected tags.

Refining and saving queries

  • DFQs: You can add multiple conditions to further narrow down the data, modify, or remove conditions as needed.
  • TFEs: You can click through different tags and refine your filters dynamically.
  • Save for Reuse: Both DFQs and TFEs can be saved for future use, which is especially useful for recurring analysis or troubleshooting tasks.

Best practices for filtering

  • DFQs: Begin with broad conditions and refine them as you gain more insights. Review and update saved DFQs regularly to keep them aligned with your monitoring needs.
  • TFEs: Use the point-and-click interface for quick filtering, especially when you focus on specific contexts like services or infrastructure components. Regularly review your tag selections to ensure that they match your current focus.

Usage examples

The following examples outline the use cases of DFQs and TFEs:

  • Performance monitoring:

    • DFQs: Filter for services with specific response times across different contexts.
    • TFEs: Focus on services or endpoints with certain tags that are related to performance issues.
  • Infrastructure management:

    • DFQs: Aggregate metrics from various infrastructure components.
    • TFEs: Isolate data for specific infrastructure elements within a single context.
  • Application debugging:

    • DFQs: Drill down into specific traces across multiple applications or services.
    • TFEs: Filter logs or metrics that are associated with a specific application tag.