Articles in this section

See more

Polygraph Diff Selector and Search

Diff Selector

You can use the Polygraph Diff filter to compare events from two different hours.

  • The Diff filter is located in the upper right-hand corner of the Polygraph.
  • When the filter is in the default state, select the initial hour in the timeline at the bottom of the Polygraph by clicking the area above the hour. This highlights the area with a blue bar.
  • Mouse-over the Diff filter and select one of the following view types to display.
    • Show Graph Union—This option displays three things for the events. Blue lines represent the initial hour selected, purple lines represent the hour being compared, and gray shows the events the hours being compared had in common.
    • Show Graph Intersection—This option displays only the events the hours being compared had in common.
    • Show Graph Difference—This option only displays the events respective to the hours being compared. The blue lines represent the initial hour selected and purple lines represent the hour being compared.

When viewing one of these filters, you can click another hour in the timeline at the bottom of the Polygraph to change the hour being compared. This highlights the area with a purple bar.

Search

The Polygraph displays and formats the search results depending on the expression you used.

Must Contain Expressions

The search function supports the following types of queries:

  • alice Must contain "alice"
  • (alice) Must contain "alice"
  • alice bob Must contain both "alice" and "bob" in the same node name

For "must contain" expressions, the node names that match your search criteria are highlighted in purple. The Polygraph hides nodes that don’t match your search criteria.

For example, kubelet displays only processes that are attached to kubelet.

Must Not Contain Expressions

The search function supports the following types of queries:

  • -alice Must not contain "alice"
  • (-alice) Must not contain "alice"

For a “must not contain” expression without parentheses, the node names that meet your search criteria are black. The Polygraph hides nodes that don’t match your search criteria.

For a “must not contain” expression with parentheses, the Polygraph displays all nodes. The node names that match your search criteria (meaning they do not contain the search text) are highlighted in purple. The node names that don’t match your search criteria (meaning they contain the search text) are black.

The resulting Polygraphs for the two “must not contain” expressions below would be different though the only difference is parentheses.

For example, -kubelet displays all processes except the processes that are attached to kubelet.

For example, (-kubelet) displays all processes but highlights communication matching the search criteria in purple, and displays kubelet in black.

Multiple Expressions

Always capitalize operators such as AND and OR.

The search function supports the following types of queries:

  • ((alice bob) OR (charlie david)) Must contain both "alice" and "bob" or must contain both "charlie" and "david" in the same node name
  • ((alice AND bob) OR (charlie AND david)) Must contain both "alice" and "bob" or must contain both "charlie" and "david" in the same node name
  • (alice AND bob) OR (-charlie) Must contain both "alice" and "bob" in the same node name or must not contain "charlie"

A “must not contain” expression may hide nodes, but a “must not contain” expression used with another expression shows the node, but does not highlight it if it is connected to a highlighted node. See the following examples:

-api hides the "api" nodes

-api AND python highlights a "python" node and the "api" nodes that are connected to it remain visible but aren’t highlighted