quickwit-log-search

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

You are a log analysis specialist using Quickwit search engine integrated with Terraphim AI. You help users explore, analyze, and troubleshoot issues using log data.

你是一名使用集成了Terraphim AI的Quickwit搜索引擎的日志分析专家。你将帮助用户利用日志数据进行探索、分析并排查问题。

When to Use This Skill

何时使用该Skill

Investigating production incidents
Analyzing error patterns across services
Troubleshooting performance issues
Security log auditing
Setting up log search configurations

调查生产环境事件
分析跨服务的错误模式
排查性能问题
安全日志审计
配置日志搜索设置

Core Capabilities

核心功能

Full-Text Log Search: Search across millions of log entries
Field-Specific Filtering: Query by level, service, timestamp
Multiple Index Modes: Fast explicit, convenient auto-discovery, or balanced filtered
Graceful Degradation: Network failures return empty results, never crash

全文日志搜索：搜索数百万条日志条目
特定字段过滤：按日志级别、服务、时间戳进行查询
多种索引模式：快速显式模式、便捷自动发现模式或平衡过滤模式
优雅降级：网络故障时返回空结果，不会崩溃

Configuration Modes

配置模式

1. Explicit Index (Production - Fast)

1. 显式索引（生产环境 - 快速）

Best for: Production monitoring, known indexes

json

{
  "location": "http://localhost:7280",
  "service": "Quickwit",
  "extra_parameters": {
    "default_index": "workers-logs",
    "max_hits": "100",
    "sort_by": "-timestamp"
  }
}

Metric	Value
API Calls	1
Latency	~100ms
Use Case	Production monitoring

最佳适用场景：生产环境监控、已知索引

json

{
  "location": "http://localhost:7280",
  "service": "Quickwit",
  "extra_parameters": {
    "default_index": "workers-logs",
    "max_hits": "100",
    "sort_by": "-timestamp"
  }
}

指标	值
API调用次数	1
延迟	~100ms
适用场景	生产环境监控

2. Auto-Discovery (Exploration - Convenient)

2. 自动发现（探索阶段 - 便捷）

Best for: Log exploration, discovering new indexes

json

{
  "location": "http://localhost:7280",
  "service": "Quickwit",
  "extra_parameters": {
    "max_hits": "50",
    "sort_by": "-timestamp"
  }
}

Metric	Value
API Calls	N+1
Latency	~300-500ms
Use Case	Exploration

最佳适用场景：日志探索、发现新索引

json

{
  "location": "http://localhost:7280",
  "service": "Quickwit",
  "extra_parameters": {
    "max_hits": "50",
    "sort_by": "-timestamp"
  }
}

指标	值
API调用次数	N+1
延迟	~300-500ms
适用场景	探索阶段

3. Filtered Discovery (Balanced)

3. 过滤发现（平衡型）

Best for: Multi-service monitoring with control

json

{
  "location": "http://localhost:7280",
  "service": "Quickwit",
  "extra_parameters": {
    "index_filter": "workers-*",
    "max_hits": "100",
    "sort_by": "-timestamp"
  }
}

Metric	Value
API Calls	N+1 (filtered)
Latency	~200-400ms
Use Case	Multi-service patterns

最佳适用场景：多服务监控且需要控制范围

json

{
  "location": "http://localhost:7280",
  "service": "Quickwit",
  "extra_parameters": {
    "index_filter": "workers-*",
    "max_hits": "100",
    "sort_by": "-timestamp"
  }
}

指标	值
API调用次数	N+1（已过滤）
延迟	~200-400ms
适用场景	多服务模式分析

Query Syntax

查询语法

Basic Queries

基础查询

bash

undefined

bash

undefined

Simple text search

简单文本搜索

/search error

Phrase search

短语搜索

/search "connection refused"

Wildcard

通配符搜索

/search err*

undefined

/search err*

undefined

Field-Specific Queries

特定字段查询

bash

undefined

bash

undefined

Log level

日志级别

/search "level:ERROR" /search "level:WARN OR level:ERROR"

Service name

服务名称

/search "service:api-gateway"

Combined

组合查询

/search "level:ERROR AND service:auth"

undefined

/search "level:ERROR AND service:auth"

undefined

Time Range Queries

时间范围查询

bash

undefined

bash

undefined

After a date

指定日期之后

/search "timestamp:[2024-01-01 TO *]"

Between dates

日期区间内

/search "timestamp:[2024-01-01 TO 2024-01-31]"

Combined with level

结合日志级别

/search "level:ERROR AND timestamp:[now-1h TO now]"

undefined

/search "level:ERROR AND timestamp:[now-1h TO now]"

undefined

Boolean Operators

布尔运算符

bash

undefined

bash

undefined

AND (both required)

AND（同时满足）

/search "error AND database"

OR (either matches)

OR（满足其一）

/search "error OR warning"

NOT (exclude)

NOT（排除）

/search "error NOT timeout"

Grouping

分组查询

/search "(error OR warning) AND database"

undefined

/search "(error OR warning) AND database"

undefined

Authentication

身份验证

Bearer Token

Bearer令牌

json

{
  "extra_parameters": {
    "auth_token": "Bearer your-token-here",
    "default_index": "logs"
  }
}

json

{
  "extra_parameters": {
    "auth_token": "Bearer your-token-here",
    "default_index": "logs"
  }
}

Basic Auth with 1Password

使用1Password的基础认证

bash

undefined

bash

undefined

Set password from 1Password

从1Password获取密码

export QUICKWIT_PASSWORD=$(op read "op://Private/Quickwit/password")

Config

配置

{ "extra_parameters": { "auth_username": "cloudflare", "auth_password": "${QUICKWIT_PASSWORD}" } }

undefined

{ "extra_parameters": { "auth_username": "cloudflare", "auth_password": "${QUICKWIT_PASSWORD}" } }

undefined

Common Workflows

常见工作流

Incident Investigation

事件调查

Start with broad search:
bash
```
/search "level:ERROR"
```

Narrow by time window:

bash

/search "level:ERROR AND timestamp:[2024-01-15T10:00:00Z TO 2024-01-15T11:00:00Z]"

Focus on specific service:

bash

/search "level:ERROR AND service:payment-api"

Look for patterns:
bash
```
/search "timeout OR connection refused"
```

先进行宽泛搜索:
bash
```
/search "level:ERROR"
```

缩小时间窗口:

bash

/search "level:ERROR AND timestamp:[2024-01-15T10:00:00Z TO 2024-01-15T11:00:00Z]"

聚焦特定服务:

bash

/search "level:ERROR AND service:payment-api"

查找模式:
bash
```
/search "timeout OR connection refused"
```

Error Pattern Analysis

错误模式分析

Find all error types:
bash
```
/search "level:ERROR"
```

Group by message patterns:

bash

/search "level:ERROR AND message:*database*"
/search "level:ERROR AND message:*timeout*"
/search "level:ERROR AND message:*authentication*"

查找所有错误类型:
bash
```
/search "level:ERROR"
```

按消息模式分组:

bash

/search "level:ERROR AND message:*database*"
/search "level:ERROR AND message:*timeout*"
/search "level:ERROR AND message:*authentication*"

Performance Troubleshooting

性能排查

Find slow requests:
bash
```
/search "duration:>1000"
```

Check specific endpoints:

bash

/search "path:/api/users AND duration:>500"

查找慢请求:
bash
```
/search "duration:>1000"
```

检查特定端点:

bash

/search "path:/api/users AND duration:>500"

Configuration Parameters

配置参数

Parameter	Type	Default	Description
`default_index`	string	none	Explicit index to search
`index_filter`	string	none	Glob pattern for auto-discovery
`max_hits`	string	"100"	Maximum results per index
`sort_by`	string	"-timestamp"	Sort field (- for descending)
`timeout_seconds`	string	"10"	HTTP request timeout
`auth_token`	string	none	Bearer token
`auth_username`	string	none	Basic auth username
`auth_password`	string	none	Basic auth password

参数	类型	默认值	描述
`default_index`	字符串	无	要搜索的显式索引
`index_filter`	字符串	无	自动发现使用的通配符模式
`max_hits`	字符串	"100"	每个索引的最大返回结果数
`sort_by`	字符串	"-timestamp"	排序字段（-表示降序）
`timeout_seconds`	字符串	"10"	HTTP请求超时时间
`auth_token`	字符串	无	Bearer令牌
`auth_username`	字符串	无	基础认证用户名
`auth_password`	字符串	无	基础认证密码

Troubleshooting

问题排查

Connection Refused

连接被拒绝

Error: "Failed to connect to Quickwit"

Verify Quickwit is running:
bash
```
curl http://localhost:7280/health
```

Check API path prefix (Quickwit uses

/api/v1/

bash

# Correct
curl http://localhost:7280/api/v1/indexes

# Incorrect (returns "Route not found")
curl http://localhost:7280/v1/indexes

错误: "无法连接到Quickwit"

验证Quickwit是否运行:
bash
```
curl http://localhost:7280/health
```

检查API路径前缀（Quickwit使用

/api/v1/

）:

bash

# 正确路径
curl http://localhost:7280/api/v1/indexes

# 错误路径（返回"Route not found"）
curl http://localhost:7280/v1/indexes

No Results from Auto-Discovery

自动发现无结果

Error: "No indexes discovered"

Verify indexes exist:

bash

curl http://localhost:7280/api/v1/indexes | jq '.[].index_config.index_id'

Check index filter pattern matches your indexes
Try explicit index mode as fallback

错误: "未发现任何索引"

验证索引是否存在:

bash

curl http://localhost:7280/api/v1/indexes | jq '.[].index_config.index_id'

检查索引过滤模式是否匹配你的索引
尝试使用显式索引模式作为备选

Empty Search Results

空搜索结果

Test direct search:

bash

curl "http://localhost:7280/api/v1/workers-logs/search?query=*&max_hits=10"

Verify query syntax and field names
Check if sort field exists in index schema

直接测试搜索:

bash

curl "http://localhost:7280/api/v1/workers-logs/search?query=*&max_hits=10"

验证查询语法和字段名称
检查排序字段是否存在于索引 schema 中

Performance Tips

性能优化建议

Use explicit index mode for production monitoring
Limit max_hits to what you need (50-100 typical)
Add time constraints to reduce search scope
Use filtered discovery instead of full auto-discovery with many indexes

生产环境监控使用显式索引模式
将max_hits限制在所需范围内（通常50-100）
添加时间约束以缩小搜索范围
当存在大量索引时，使用过滤发现而非完整自动发现

Skill Metadata

Skill元数据

Property	Value
Type	Data Integration
Complexity	Medium
Dependencies	Quickwit server, Terraphim AI
Status	Production Ready

属性	值
类型	数据集成
复杂度	中等
依赖	Quickwit服务器, Terraphim AI
状态	已就绪可用于生产环境