search

brimdata / zui

Zui is a powerful desktop application for exploring and working with data. The official front-end to the Zed lake.
https://www.brimdata.io/download/
Other
1.8k stars 132 forks source link

design subspace creation from search tabular results #926

Closed alfred-landrum closed 4 years ago

alfred-landrum commented 4 years ago

From an index search, we want a user to be able to choose one or more records from the tabular search results, and create a subspace where they can search the full data. We've discussed allowing control-clicking to choose records, or making checkboxes available, but haven't narrowed down to a specific design yet.

philrz commented 4 years ago

Verified in Brim commit 76f506a talking to zqd commit 42103ef.

First I followed the steps from the zar README to create an archive, then used zapi to create an Archive Space for it in my locally-running Brim app.

$ zq zng/*.gz | zar import -s 25MB -

$ zar index :ip
file:///Users/phil/logs/20180324/1521912990.158766.zng: creating index file:///Users/phil/logs/20180324/1521912990.158766.zng.zar/microindex-type-ip.zng
file:///Users/phil/logs/20180324/1521912507.399929.zng: creating index file:///Users/phil/logs/20180324/1521912507.399929.zng.zar/microindex-type-ip.zng
file:///Users/phil/logs/20180324/1521912075.114273.zng: creating index file:///Users/phil/logs/20180324/1521912075.114273.zng.zar/microindex-type-ip.zng
file:///Users/phil/logs/20180324/1521911772.980384.zng: creating index file:///Users/phil/logs/20180324/1521911772.980384.zng.zar/microindex-type-ip.zng

$ zar index uri
file:///Users/phil/logs/20180324/1521912990.158766.zng: creating index file:///Users/phil/logs/20180324/1521912990.158766.zng.zar/microindex-field-uri.zng
file:///Users/phil/logs/20180324/1521912507.399929.zng: creating index file:///Users/phil/logs/20180324/1521912507.399929.zng.zar/microindex-field-uri.zng
file:///Users/phil/logs/20180324/1521912075.114273.zng: creating index file:///Users/phil/logs/20180324/1521912075.114273.zng.zar/microindex-field-uri.zng
file:///Users/phil/logs/20180324/1521911772.980384.zng: creating index file:///Users/phil/logs/20180324/1521911772.980384.zng.zar/microindex-field-uri.zng

$ zapi new -k archivestore -d $ZAR_ROOT MyArchive
MyArchive: space created

As shown in the attached video, right now Brim doesn't auto-refresh when a new Space is added by something outside the app, so I hit the "+" in the Space picker to force it to refresh. Once I click on the name of the Archive Space, by default I start out in Events Search mode, which is the same search experience we've had traditionally. I then switch to Index Search mode via the pull-down and am able to enter the kinds of micro-index searches as shown in the zar README, such as :ip=10.10.23.2, which returns the list of ZNG chunks and hit counts in which that term appeared. Clicking the Subspace button, a new Space is created for me based on that single chunk and a search for that specific value 10.10.23.2 returns the single event that the count from the micro-index told us to expect. The same is true for when I do an Index Search for named field/value uri=/file. Here I make my Subspace out of two of the three chunks, and I'd seen that one of those chunks had 1 hit and the other had 2. Indeed, the search for uri=/file within the Subspace shows three events as I'd expect.

Verify.zip

Thanks @jameskerr!