Question:
I have the following query:
(_index={{index_name}}) AND _sourceCategory={{env}}/* {{log_level}}
| parse "* *,* * * " as date,time,error_code,thread_id,log_level
| if(log_level matches"{{log_level}}", 1, 0 ) as info
| timeslice 1h
| where info = 1
| count(info) as info by _timeslice
| outlier info window=5, threshold=3, consecutive=1, direction=+-
and it's giving me the error: ')' expected but 'I' found but I can't figure where's the issue is.

Answer:
When a parameter is tagged as a string Sumo Logic adds quotation marks around the parameter value. In the above query, the "level" parameter is tagged as string type causing additional quotes to be added within the "If" statement in the query. Changing the "log_level" parameter using the Manage Parameter Settings and setting the Data type to "Any" will address this issue.
- Within the Parameters pane click on the vertical ellipses next to the parameter name.
- Select Manage Parameter Settings
- Within the Data Type select Any
- Save your update
There is a preview mode option if you click on the eyelet icon on the top right of the Parameters pane, which will show you the resulting query using the current set parameter values.
See screenshot below showing the issue

See screenshot below showing the issue

Comments
0 comments
Please sign in to leave a comment.