Explorer
  • 07 Nov 2024
  • 16 Minutes to read
  • PDF

Explorer

  • PDF

Article summary

The Explorer page in Traceable acts as a centralized dashboard for monitoring and analyzing API activity, providing an overarching view of how requests interact with your application system. It categorizes data into endpoint traces, spans, and events, providing a detailed understanding of API behavior. While endpoint traces provide information about the process of individual requests at each API endpoint, spans provide the building blocks of a trace. Events provide additional detail by highlighting specific, significant occurrences of threats within spans, such as security checks or errors, and include context like timestamp and service details.

Explorer

The Explorer page contains the following tabs:

  • Explorer — The Explorer tab shows data for endpoint traces, spans, and events. The tab also shows Visualizations, enabling you to select and customize parameters, such as metrics and aggregation types to better understand data trends. The Results table in the tab shows an interactive view of traces, spans, and events with options to expand each row for detailed information. The Filters enable targeted searches, and you can save complex or frequently used queries for quick access through the save queries option.

  • Recent — The Recent tab keeps a log of executed queries while categorizing them as in-queue or completed, and enables you to track their statuses, further streamlining query management and tracking.

  • Saved — The Saved tab shows queries that you wish to reuse, enabling you to quickly access, edit, or share these saved queries with team members.

Using the above tabs and functionalities, the Explorer page provides efficient monitoring and in-depth analysis of API security, performance, and activity data.

The following sections explain each tab in detail.


Explorer

The Explorer tab contains the following sub-tabs:

  • Endpoint Traces — Traces are records of the lifecycle of a request as it navigates through various components or services of your application ecosystem. Endpoint traces are a sub-segment of the trace that provide detailed information about the activities of an API endpoint.

  • Spans — Spans are individual components that together build up a trace. They represent a specific function call within a request lifecycle.

  • Events — Events are specific time periods within a span at which Traceable observed threats in an API request. They capture details about the operation within a span, for example, errors, service in which they occur, timestamp, etc.

The data in the above tabs is shown for the Last 1 day across All Environments, by default. However, you can customize the time range and environments according to your requirements, from the tab’s top right corner. You can also visualize the data shown in these sub-tabs based on various metrics. For more information on visualizing this data, see Visualization.

The Traceable platform receives raw span data from its agent. Traceable's business logic creates the trace and the Endpoint trace from these spans and events. The Explorer tab also gives you the capability to view raw span and events data. Traceable identifies all the request and response data in an API request; for example, request headers, body, cookies, etc. and captures them as individual span attributes and events. This data is shown in the form of a table under the Results section.

You can also apply one or more filters or conditions to narrow down the search and run the query according to your requirements. If a filter has an associated operation, it is shown when you enter a space in the search bar. For more information on the filters and associated operators, see Filters.

Query Processing

Once you run the query, Traceable inspects the query parameters, like time range, filters, attributes, etc. and dynamically processes it using either of the following methods:

Note

These methods are applied in the Endpoint Traces and Spans tab only.

Using the real-time OLAP store

Traceable, upon receiving the query, synchronously executes it in the OLAP store and shows the result in the page within a 30-second timeout.

Using the data lake

For queries processed using the data lake, Traceable shows a dialogue box on the Explorer page while executing the query in the background. In this box, you can either click Cancel Request to abort the query execution or click Ok, post-which Traceable redirects you to the Recent tab where you can monitor the progress of the query.

You can also navigate away from the page while Traceable is processing the query. Once the query execution is complete, Traceable shows a notification on the page’s bottom right corner with the option to View Results. Upon clicking, you are redirected to the Explorer page where you can view the results.

Based on the query execution and result, you can also create custom rate limiting policies according to your requirements. To create the policy, click + Create Policy above the search bar. While Traceable pre-fills the configurations based on your filters, you can customize them according to your requirements. For more information on these policies, see Custom Policy.

The following sections explain the various components shown in the Explorer tab.

Visualization

The Visualization section shows a chart that you can use for analysis. You can also customize this chart according to your requirements by doing either of the following:

  • Add or remove metrics and aggregations

    Note

    You must add at least one metric for the visualization to appear.

  • Modify the type of visualization

  • Select the interval for which you wish to view the data

  • Select the parameter based on which you wish to group the data by

  • Select the parameter based on which you wish to order the visualization by

Once you have customized the visualization, you can hover over it to view the required details. The following demo shows how you can create a visualization to view the call rate (sec) metric grouped by endpoint name with 10 maximum groups in the chart, having the interval as None. The visualization is also ordered by the descending number of calls. When you hover the mouse over the columns, a pop-up shows the call rate for all 10 endpoints. Similarly, you can create several visualizations to compare various parameters.

Results

The Results section contains a table showing the list of traces, spans, or events for the time range and environment you select. Each list item contains detailed information about it. To view the information, expand the item by clicking the > icon corresponding to a row. You can also download the desired number of results by clicking the Menu () icon → Download as CSV in the section’s top right corner.

Filters

Traceable allows you to add one or more filters according to your requirements. To add the filters, complete the following steps:

Traceable _ Explorer _ Filters(1)

Explorer Filters

  1. Click the search bar at the top of the page and specify the parameter. For commonly used filters across Endpoint Traces and Spans, see Filter Parameters.

  2. Add a space after the parameter and add the operator. For descriptions and examples, see Operators.

  3. Specify the values corresponding to the parameter and operator.

  4. Click Enter or return and click Run.

You can also auto-fill filters by hovering over a value in any column and clicking the Filter (traceable_filter_icon(1)) icon corresponding to it. Upon clicking, Traceable shows a list having the same column name and value, but different operators. You can choose the list item having the operator that you wish to apply. For example, if you wish to see data for services with frontend as the name, then you can select Service Name = frontend. Similarly, you can apply multiple auto-fill filters according to your requirements. The following demo shows how you can add auto-fill filters.

Traceable _ Explorer _ Auto-fill Filters

Auto-fill Filters

Once you have applied the necessary filters, you can save the queries for later use. For more information on saving queries, see the below section.

Save Queries

Traceable provides you with an option to save your queries for future use. Saving queries can help you save time if you wish to use the same query again. While saving a query, you can select the time range you wish to save the query for. Traceable provides the following options for selecting the time range:

  • Application Time Range - This is equivalent to not choosing any time range.

  • Last 1 day — This time range is the same as the one you chose from the time-range drop-down at the top of the tab. In the demo shown below, it is Last 1 day. The time range changes if you choose a different one from the drop-down at the top of the page. When you choose this option, the result of the query will be based on the saved time range. This means that if the application time range is 1 week and the saved query time range is 1 day, then the result would be based on the last 1 day's data.

  • Exact time — This option saves the query for the time when it was last run. For example, in the demo below, the query is run for 04/11/2024, 19:23:51 - 05/11/2024, 19:23:51. When you save the query with this time range, it will always show the result between 4th and 5th November.

    Note

    The exact time range query result is available only during the data retention period (3 days). If the chosen time range lies outside of this period, the saved query does not show any result.

The following demo shows how you can save a query:

You can view the saved queries in either of the following ways:

  • From the Saved tab. For more information, see Saved.

  • By clicking the Filter (traceable_filter_icon) icon corresponding to the search bar and searching for the query using its name. You can also hover over the File (traceable_catalog_compliance_policies_file_icon) icon corresponding to a query to view its details.

Traceable also provides you the option to save queries from the Recent tab. For more information, see the section below.


Recent

The Recent tab displays the queries that you execute in the Endpoint Traces and Spans tabs under Explorer. The tab is divided into two parts, Queries in Queue and Completed Queries. The following sections explains these parts.

Recent Tab

Queries in Queue

This section lists the queries that are currently in queue or are being processed. You may have run these queries in the Explorer tab and they may have required a longer time for execution (processing using the data-lake). The queries are executed simultaneously based on the availability of resources. For each query, Traceable shows some basic details, the time at which you ran the query, and the progress bar for it. You can also cancel the query execution while it is in progress by clicking the X icon corresponding to a row.

Completed Queries

This section lists the queries whose execution is completed. This includes queries that have succeeded or failed. The following details are shown for each query:

  • Time of expiry — The amount of time remaining for a query and its result to expire. Traceable stores a query for three days after which it is deleted. If you wish to retain these queries, you can save them according to your requirements.

  • Time Range — The time range that you selected in the Explorer tab while running the query.

  • Scope — The tab under which you executed the query, for example, Endpoint Traces in the above screenshot.

  • Filters — The parameters based on which you applied filters for executing the query, for example, Service Name like (~) service.

  • Metric Selections — The number of metrics you selected for visualizing data shown as part of the result. For more information on these metrics, see Visualization.

  • Results Selections — The number of columns shown as part of the result, for example, 11 in the above screenshot.

  • Run At — The time at which you executed the query in the Explorer tab.

  • Actions — This column provides the option to run the query again. You can click Run to execute the queries again to fetch results. Upon clicking, you must select the time range for which you wish to execute query. Traceable redirects you to the Explorer tab and displays the results.
    For queries processed using the data lake (long running queries), Traceable provides you the option to view the Previous Results. Upon clicking, Traceable redirects you to the relevant section (Endpoint Traces or Spans) and shows the results for the time range used while executing the query. For example, if you executed the query for the 27/10/2024, 19:23:51 - 28/10/2024, 19:23:51 time range, then, Traceable shows the results for the same time range.

Traceable also allows you to filter data shown in this section based on the query state (succeeded or failed). To do so, you can click the Filter (traceable_filter_icon) icon above the section as shown in the above screenshot.

Additional Actions

You can click the Ellipse (traceable_ellipse_icon) icon corresponding to a query and perform the following actions:

  • Copy Link — This option enables you to share the query results with your team members added to the Traceable platform. The team members are redirected to the Explorer tab displaying the result of the query.

  • Save Query — This option enables you to save the query for later use. The query is stored indefinitely. You can navigate to the Saved tab and execute the query according to your requirements. While saving the query, you can specify a name for the query, the time range for which you wish to execute the query in the future, and comments. For more information on Saved queries, see Saved.

  • Delete — This option allows you to delete the query permanently.

    Note

    A deleted query cannot be restored.


Saved

Traceable provides some pre-saved queries out-of-the-box that are most frequently used. You can execute these queries on the Endpoint Traces from the Saved tab and view the relevant results. You can also edit these queries to modify the name, time range for which they are executed, and add comments.

Saved Tab

Apart from the pre-saved queries, the page also lists the queries that you may have saved from the Explorer or Recent tab. The following columns are shown on the page:

  • Query — This column shows the query name that you specified while saving the query. It also shows the scope of the query, which is the tab under which the query was executed, such as Endpoint Traces, Spans, or Events. You can also hover over the File icon corresponding to a query to view the configured details for that query.

  • Owner — This columns shows the team member name who saved the query. The queries provided out-of-the-box are labeled with Traceable as the owner.

You can click Run corresponding to each query and execute it according to your required time range. You can also click the Ellipse (traceable_ellipse_icon) icon corresponding to a query and perform the following actions:

  • Copy Link — This option enables you to share the query results with your team members added to the Traceable platform. The team members are redirected to the Explorer tab displaying the result of the query.

  • Edit — This option enables you to edit the query name, time range for which you wish to execute the query, and comments.

  • Delete — This option allows you to delete the query permanently.

    Note

    A deleted query cannot be restored.


Filter Parameters

The following tables explain a few of the filter parameters for Endpoint traces and spans.

Endpoint Traces

Parameter

Definition

API exit call

Number of outbound calls made by the API Endpoint

Calls

Number of calls to the API Endpoint

Duration

Time spent within the boundary of a service containing the API Endpoint is the time between the entry span into the service and the exit span out from the service.

End time

The end time of the segment of the trace

Endpoint ID

The ID of the API Endpoint this trace segment belongs to

Endpoint Name

Name of the API Endpoint this trace segment belongs to

Endpoint Trace ID

The span ID corresponds to the entry span, which is the starting span of the Endpoint trace segment.

Environment

All the data visible is scoped under the selected environment. But if you select AllEnvironments, this shows the environment corresponding to the trace segment.

Error count

Count of errors in the given API trace

HTTP Method

HTTP Methods, for example, GET/POST/PUT/DELETE, and so on.

IP Address

Client's IP address

Is Endpoint PII

True if the endpoint corresponding to the trace segment has any sensitive information/parameters.

Protocol

HTTP or GRPC

Request Body

Contains the API request for the given API

Request Content-Type

Content-type request header

Service ID

The ID of the Service that owns the API Endpoint trace this segment belongs to

Service Name

Name of the Service that owns the API Endpoint this trace segment belongs to

Session ID

User session ID in which the current operation (that resulted in the trace) was performed

Start time

The start time of the segment of the trace

Trace ID

The trace ID of the trace that this segment is part of

User ID

The username or client_id was extracted from the access token or Authorization header in the inbound request from outside the system.

User Role

The client's actual or assumed role is making the request extracted from the token or application security context.

User Scope

Scopes or granted authorities the client currently possesses were extracted from the token or application security context. The value would come from the scope associated with an OAuth 2.0 Access Token or an attribute value in a SAML 2.0 Assertion.

Spans

Parameter

Definition

Duration

The time duration for the span

Endtime

The finish time for the span

Error Count

Count the number of error occurrences in the given span

Parent Span ID

Span ID for the parent span

Protocol

One of HTTP, HTTPS, GRPC, REDIS, MONGO, JDBC, RABBIT_MQ protocol

Request Body

Contains the API request for the given API

Request Content-Type

Content-type request header

Request Params

The request parameters

Request size

The size of the request

Request Headers

The request headers

Response Content Type

Content-type response header

Response Headers

The response headers

Response Size

The size of the response

Service ID

The ID of the service corresponding to the given span

Service Name

Name of the service corresponding to the given span

Span ID

The identifier for the span

Span Name

The name for the span

Start Time

The time when the span event started

Tags

The key-value attributes for the span. It captures various events or metadata about the span

Trace ID

An Identifier for the trace that this span belongs to


Operators

The following table lists the various operators with their descriptions and examples.

Operator

Description

Supported attribute types

Examples

=

This operator tests for an exact match and is case-sensitive. When used against an array, it tests for at least one matching value. It can be used against a particular map entry by including a key value to test against to be included as part of the field declaration, but it cannot be used against a map itself.

String, Number, Boolean, Map Value, String Array

Bot IP = true

User Roles = Developer

Request Headers.x-forwarded-for = 1.2.3.4

!=

This operator is used as a negation of =. For arrays, this checks that there are no matching values.

String, Number, Boolean, Map Value, String Array

Bot IP != true

User Roles != Developer

Request Headers.x-forwarded-for != 1.2.3.4

IN

This operator is like =, except that it accepts a comma-separated list of allowed matches.

String, Number, Boolean, Map Value, String Array

Service Name IN dataservice, loginservice

User Roles IN developer, analyst

Request Headers.x-forwarded-for IN 1.2.3.4, 5.6.7.8

NOT_IN

Negation of IN. For arrays, this checks that there are no matching values.

String, Number, Boolean, Map Value, String Array

Service Name NOT_IN dataservice, loginservice

User Roles NOT_IN developer, analyst

Request Headers.x-forwarded-for NOT_IN 1.2.3.4, 5.6.7.8

~

Evaluates the provided regex for any matches. This operator is case-insensitive.

String, Map Value, String Array

Service Name ~ ^data

Request Headers.x-forwarded-for ~ 10\.10\.10\.\d{1,3}

<

Less than

Number

Duration < 10

>

Greater than

Number

Duration > 10

<=

Less than or equal to

Number

Duration <= 10

>=

Greater than or equal to

Number

Duration >= 10

CONTAINS

This operator checks if the string contains the provided substring. The operator is case-insensitive. For arrays, the operator checks if there are any matching values.

String, String Array

Service Name CONTAINS auth

CONTAINS_KEY

This operator checks if the map contains a key with the provided name. The operator is case-sensitive.

Map

Request Headers CONTAINS_KEY x-forwarded-for

CONTAINS_KEY_LIKE

This operator checks if the map contains a key matching the provided regex. The operator is case-insensitive.

Map

Request Headers CONTAINS_KEY_LIKE forward.*

NOT_CONTAINS_KEY

This operator checks if the map contains no key that exactly matches the provided value. The operator is case-sensitive.

Map

Request Headers NOT_CONTAINS_KEY x-forwarded-for


Was this article helpful?