how to do a join query on pre-parsed fields
Hello If you have long log lines from various sources that have field extractions already in place, and wish to join on a common field, how do you do it without having to enter the parse statements manually in the join search? The examples in the user guide all use parse statements within the join query, in order to wildcard and capture the field to join on, but we've already parsed these log lines which are anywhere between 45-54 fields long, so it's not realistic to put these parse statements in more than once. Thanks in advance
-
Hi MB- I would basically start with my search to create my initial scope, then use a simple where after the fact to break that scope out into my separate subtables I want to join: _sourcecategory = SCA or _sourcecategory = SCB | join (* | where _sourcecategory="SCA") as a, (* |where _sourcecategory="SCB") as b on a.server_ip=b.server_ip in this case my server_IP is my join field, and since both subsets already have that field parsed with FER, it works successfully. There's different variations you can try here to parcel off data in the subtables, but the net result is that you do not have to insert a parse statement to achieve a join. Let us know if that gets you closer to your goal! -
Attached Code Snippet : https://community.sumologic.com/s/rich_text_post/a09E000001L3qleIAB
Please sign in to leave a comment.
Comments
2 comments