_sourceName Question

Comments

3 comments

  • Avatar
    Duc Ha
    That should work. If your search returns no result, it could be a timestamp issue. Try with a wider time window, if that doesn't work, check "Use Receipt Time" as well. If you suspect a syntax issue, do: * | count by _sourceName to see if your source name shows up.
    0
    Comment actions Permalink
  • Avatar
    Jason Alexander

    Sumo Logic (and they don't really document this clearly) does not allow wildcards in the _sourceName if it's quoted with " ".  This feels inconsistent with other fields and the rest of the API, especially since the only feedback you get is "no results".   Make sure you don't have quotes (_sourceName="/logs/app/*.log").

    0
    Comment actions Permalink
  • Avatar
    Olaf Stein

    We can wildcard any metadata tags. If you see no results there could be three reasons:

    1) No data has been ingested for the time range used (try a larger one)

    2) The data has timezone issue (Try with checking "Use Receipt Time")\

    https://help.sumologic.com/Send_Data/Collector_FAQs/Troubleshooting_large_message_time_and_receipt_time_discrepancies

    3) You may be using double quotes around the value, these are not need:

    _sourceName=/var/log/*

     

    0
    Comment actions Permalink

Please sign in to leave a comment.