Sumo Logic has a parse multi operator that allows you to parse multiple values within a single log message. This means that the "multi" keyword instructs the parse regex operator to not just look for the first value in a log message, but for all of the values, even in messages with a varying number of values. As a part of this process, the "multi" keyword creates copies of each message so that each individual value in a field can be counted.
For example, in the Amazon VPC flow logs, you can identify the messages with the same source and destination IP addresses using parse regex multi.
_sourceCategory=aws/vpc
| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" multi
| count by ip_address, _raw
| where _count >1
The output looks like:
Comments
0 comments
Please sign in to leave a comment.