Quickwit Log Search
by terraphim
|
Skill Details
Repository Files
1 file in this skill directory
name: quickwit-log-search description: | Log exploration and analysis using Quickwit search engine. Incident investigation, error pattern analysis, and observability workflows. Three index discovery modes for different performance and convenience trade-offs. license: Apache-2.0
You are a log analysis specialist using Quickwit search engine integrated with Terraphim AI. You help users explore, analyze, and troubleshoot issues using log data.
When to Use This Skill
- Investigating production incidents
- Analyzing error patterns across services
- Troubleshooting performance issues
- Security log auditing
- Setting up log search configurations
Core Capabilities
- Full-Text Log Search: Search across millions of log entries
- Field-Specific Filtering: Query by level, service, timestamp
- Multiple Index Modes: Fast explicit, convenient auto-discovery, or balanced filtered
- Graceful Degradation: Network failures return empty results, never crash
Configuration Modes
1. Explicit Index (Production - Fast)
Best for: Production monitoring, known indexes
{
"location": "http://localhost:7280",
"service": "Quickwit",
"extra_parameters": {
"default_index": "workers-logs",
"max_hits": "100",
"sort_by": "-timestamp"
}
}
| Metric | Value |
|---|---|
| API Calls | 1 |
| Latency | ~100ms |
| Use Case | Production monitoring |
2. Auto-Discovery (Exploration - Convenient)
Best for: Log exploration, discovering new indexes
{
"location": "http://localhost:7280",
"service": "Quickwit",
"extra_parameters": {
"max_hits": "50",
"sort_by": "-timestamp"
}
}
| Metric | Value |
|---|---|
| API Calls | N+1 |
| Latency | ~300-500ms |
| Use Case | Exploration |
3. Filtered Discovery (Balanced)
Best for: Multi-service monitoring with control
{
"location": "http://localhost:7280",
"service": "Quickwit",
"extra_parameters": {
"index_filter": "workers-*",
"max_hits": "100",
"sort_by": "-timestamp"
}
}
| Metric | Value |
|---|---|
| API Calls | N+1 (filtered) |
| Latency | ~200-400ms |
| Use Case | Multi-service patterns |
Query Syntax
Basic Queries
# Simple text search
/search error
# Phrase search
/search "connection refused"
# Wildcard
/search err*
Field-Specific Queries
# Log level
/search "level:ERROR"
/search "level:WARN OR level:ERROR"
# Service name
/search "service:api-gateway"
# Combined
/search "level:ERROR AND service:auth"
Time Range Queries
# After a date
/search "timestamp:[2024-01-01 TO *]"
# Between dates
/search "timestamp:[2024-01-01 TO 2024-01-31]"
# Combined with level
/search "level:ERROR AND timestamp:[now-1h TO now]"
Boolean Operators
# AND (both required)
/search "error AND database"
# OR (either matches)
/search "error OR warning"
# NOT (exclude)
/search "error NOT timeout"
# Grouping
/search "(error OR warning) AND database"
Authentication
Bearer Token
{
"extra_parameters": {
"auth_token": "Bearer your-token-here",
"default_index": "logs"
}
}
Basic Auth with 1Password
# Set password from 1Password
export QUICKWIT_PASSWORD=$(op read "op://Private/Quickwit/password")
# Config
{
"extra_parameters": {
"auth_username": "cloudflare",
"auth_password": "${QUICKWIT_PASSWORD}"
}
}
Common Workflows
Incident Investigation
-
Start with broad search:
/search "level:ERROR" -
Narrow by time window:
/search "level:ERROR AND timestamp:[2024-01-15T10:00:00Z TO 2024-01-15T11:00:00Z]" -
Focus on specific service:
/search "level:ERROR AND service:payment-api" -
Look for patterns:
/search "timeout OR connection refused"
Error Pattern Analysis
-
Find all error types:
/search "level:ERROR" -
Group by message patterns:
/search "level:ERROR AND message:*database*" /search "level:ERROR AND message:*timeout*" /search "level:ERROR AND message:*authentication*"
Performance Troubleshooting
-
Find slow requests:
/search "duration:>1000" -
Check specific endpoints:
/search "path:/api/users AND duration:>500"
Configuration Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
default_index |
string | none | Explicit index to search |
index_filter |
string | none | Glob pattern for auto-discovery |
max_hits |
string | "100" | Maximum results per index |
sort_by |
string | "-timestamp" | Sort field (- for descending) |
timeout_seconds |
string | "10" | HTTP request timeout |
auth_token |
string | none | Bearer token |
auth_username |
string | none | Basic auth username |
auth_password |
string | none | Basic auth password |
Troubleshooting
Connection Refused
Error: "Failed to connect to Quickwit"
-
Verify Quickwit is running:
curl http://localhost:7280/health -
Check API path prefix (Quickwit uses
/api/v1/):# Correct curl http://localhost:7280/api/v1/indexes # Incorrect (returns "Route not found") curl http://localhost:7280/v1/indexes
No Results from Auto-Discovery
Error: "No indexes discovered"
-
Verify indexes exist:
curl http://localhost:7280/api/v1/indexes | jq '.[].index_config.index_id' -
Check index filter pattern matches your indexes
-
Try explicit index mode as fallback
Empty Search Results
-
Test direct search:
curl "http://localhost:7280/api/v1/workers-logs/search?query=*&max_hits=10" -
Verify query syntax and field names
-
Check if sort field exists in index schema
Performance Tips
- Use explicit index mode for production monitoring
- Limit max_hits to what you need (50-100 typical)
- Add time constraints to reduce search scope
- Use filtered discovery instead of full auto-discovery with many indexes
Related Documentation
Skill Metadata
| Property | Value |
|---|---|
| Type | Data Integration |
| Complexity | Medium |
| Dependencies | Quickwit server, Terraphim AI |
| Status | Production Ready |
Related Skills
Attack Tree Construction
Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
Grafana Dashboards
Create and manage production Grafana dashboards for real-time visualization of system and application metrics. Use when building monitoring dashboards, visualizing metrics, or creating operational observability interfaces.
Matplotlib
Foundational plotting library. Create line plots, scatter, bar, histograms, heatmaps, 3D, subplots, export PNG/PDF/SVG, for scientific visualization and publication figures.
Scientific Visualization
Create publication figures with matplotlib/seaborn/plotly. Multi-panel layouts, error bars, significance markers, colorblind-safe, export PDF/EPS/TIFF, for journal-ready scientific plots.
Seaborn
Statistical visualization. Scatter, box, violin, heatmaps, pair plots, regression, correlation matrices, KDE, faceted plots, for exploratory analysis and publication figures.
Shap
Model interpretability and explainability using SHAP (SHapley Additive exPlanations). Use this skill when explaining machine learning model predictions, computing feature importance, generating SHAP plots (waterfall, beeswarm, bar, scatter, force, heatmap), debugging models, analyzing model bias or fairness, comparing models, or implementing explainable AI. Works with tree-based models (XGBoost, LightGBM, Random Forest), deep learning (TensorFlow, PyTorch), linear models, and any black-box model
Pydeseq2
Differential gene expression analysis (Python DESeq2). Identify DE genes from bulk RNA-seq counts, Wald tests, FDR correction, volcano/MA plots, for RNA-seq analysis.
Query Writing
For writing and executing SQL queries - from simple single-table queries to complex multi-table JOINs and aggregations
Pydeseq2
Differential gene expression analysis (Python DESeq2). Identify DE genes from bulk RNA-seq counts, Wald tests, FDR correction, volcano/MA plots, for RNA-seq analysis.
Scientific Visualization
Meta-skill for publication-ready figures. Use when creating journal submission figures requiring multi-panel layouts, significance annotations, error bars, colorblind-safe palettes, and specific journal formatting (Nature, Science, Cell). Orchestrates matplotlib/seaborn/plotly with publication styles. For quick exploration use seaborn or plotly directly.