Dynatrace introduces a new advanced way to enhance your DQL queries in Security Investigator cases. The pivoting queries concept allows engineers to quickly change the investigation context by switching the scope of a query using available pivoting dimensions.
Time is critical
Imagine you’re investigating latency issues in your cloud applications by analyzing your Istio proxy logs with Security Investigator. You have hundreds of pods, each of which has application containers and Istio containers running side-by-side. You analyze all the Istio logs at once to get a comprehensive overview of the whole infrastructure, fetching logs for all long-running requests, and you want to investigate some of the requests to identify the issues behind the high latency.
Dynatrace Security Investigator is one of the built-in apps shipped with Dynatrace. It’s designed for evidence-driven security use cases based on the logs, metrics, and traces ingested into the Dynatracer Grail® data lakehouse.
Security Investigator allows you to:
- Keep your whole investigation flow in context.
- Perform complex security investigations on the data stored in Grail.
- Build DQL queries based on your findings in a fast and easy way.
- Save and use the found evidence to build your DQL queries and find answers to your questions.
- Navigate with ease to any point in your investigation history and review queries and results.
- Fetch detailed results in the original format to quickly understand the information.
Quickly shift your investigative perspective
Thanks to pivoting queries, it‘s now possible to quickly shift your investigation from one perspective to another. You can choose Pivot query by right-clicking any record in the results table in Security Investigator and selecting the dimension you want to pivot your query by, for example, Kubernetes pod. As a result, a new query node is created, containing all the logs from the same Kubernetes pod from which the Istio record originated, giving you the full context and all application logs from that pod.
Pivoting queries also work at scale: if you select multiple records and use pivoting queries with multiple values, multiple nodes will be created based on the distinct selected values. So, if you choose five result records and pivot query by trace_id, then five new query nodes will be created, which will contain results for each respective trace ID. This allows you to continue investigating each trace in your query branch, keeping the context and tracking your individual query history.
The pivoting dimensions are chosen from the metadata fields of your log records and can be further customized in Security Investigator. You can switch dimensions from, for example, a high-level Kubernetes cluster or host to the corresponding process group instance or cloud application, depending on your investigation’s purpose and the context you need.
The pivoting queries feature allows you to speed up your investigations and apply them in different contexts using the power of the query tree and other investigative features of Security Investigator.
Looking for answers?
Start a new discussion or ask for help in our Q&A forum.
Go to forum