Question:
i have the follow query:
(_index={{index_name}}) AND _sourceCategory={{env}}/* {{log_level}}
| parse "* *,* * * " as date,time,error_code,thread_id,log_level
| if(log_level matches"{{log_level}}", 1, 0 ) as info
| timeslice 1h
| where info = 1
| count(info) as info by _timeslice
| outlier info window=5, threshold=3, consecutive=1, direction=+-
and it's giving me the error: ')' expected but 'I' found. I can't figure where's the issue
Answer:
When the parameter is tagged as a string then Sumo Logic adds quotation marks around the parameter. In above query the "level" parameter is tagged as string type. Changing the "log_level" parameter using the Manage Parameter Settings for Data type to "Any" fixes the issue.
There is a preview mode option if you click on the eyelet on the top right that will show you the resulting query
https://help.sumologic.com/Search/Get-Started-with-Search/How-to-Build-a-Search/Search-Templates#Troubleshooting_with_Preview_mode
See screenshot below showing the issue
There is a preview mode option if you click on the eyelet on the top right that will show you the resulting query
https://help.sumologic.com/Search/Get-Started-with-Search/How-to-Build-a-Search/Search-Templates#Troubleshooting_with_Preview_mode
See screenshot below showing the issue
Comments
0 comments
Please sign in to leave a comment.