Question on advanced search req

Follow

Pavan Dusi

• August 25, 2016 21:30

Greetings! I have two sumo queries as follows: T1: ((_collector=PRDLOGS AND _source=PRDMWAPI)) AND "CUSTOMSITENAME" | parse regex "pcall\|(?.*?)customfiles.MiddlewareApi.*?ResponseTime time=(?.*?),transactionType=(?.*?)\.(?!.*\.)" will create errormesg, rtime, rtype fields. T2: ((_collector=PRDLOGS AND _source=PRDMWAPI)) AND "CUSTOMSITENAME" | parse regex "ERROR .*pcall\|(?.*?)customfiles.MiddlewareApi" will create errormesg field I have to create a new result set T3 (errormesg, rtime, type) = T1 (errormesg, rtime, rtype) - T2 (errormesg) I have to remove all instances of error messages that appear in T2 from T1. Any thoughts or suggestions? Thanks

0

• 

  Michael Floyd

  • August 26, 2016 17:35

  @Pavan Dusi Have tried asking this in the Slack channel?

  0

  Comment actions Permalink
• 

  Mario Sanchez

  • August 26, 2016 22:31

  Pavan, Is errormesg unique, and would T1.errormesg = t2.errormesg? If so, there could be an easy way to do it: _collector=PRDLOGS AND _source=PRDMWAPI AND "CUSTOMSITENAME" | parse regex "pcall\|(?.*?)customfiles.MiddlewareApi.*?ResponseTime time=(?.*?),transactionType=(?.*?)\.(?!.*\.)" nodrop | parse regex "ERROR .*pcall\|(?.*?)customfiles.MiddlewareApi" | count by errormesg | where count < 2 The nodrop option ensures that messages that do not follow the format of the first regex statement are not dropped, but instead, are passed on to the next regex statement. Cheers, Mario

  0

  Comment actions Permalink

Please sign in to leave a comment.