how to write serach query to pull details changed in last 1 or 2 days
let us take a simple query in json file
{ |
"query": "| count _sourceCategory",
|
"from": "2013-01-28T12:00:00",
|
"to": "2013-01-28T13:10:00",
|
"timeZone": "PST"
|
|
|
-
Official comment
Hi Katyayani,
We don't currently support relative times via the search job API - here is a feature request that you can vote and comment on to ask for this to be supported. You can write a script to adjust the "from" and "to" values to be from 24 hours ago/48 hours ago to the current time.
Thanks,
GrahamComment actions -
my case query is static but I would need to run the query everyday and gather the details past 24 hours only. so I created a .json file and would like to make it "-24hours" like in UI. however looks like it is not possible and i would need to update the ,json everytime with "from" and "to" before calling this .json file with in search API
-
Hi Katyayani,
I believe this article is what you're looking for: https://help.sumologic.com/Send-Data/Sources/04Reference-Information-for-Sources/Timestamps%2C-Time-Zones%2C-Time-Ranges%2C-and-Date-Formats
Let me know if that helps.
-
what other timestamps are allowed with in json file ? I tried
MMM dd yyyy HH:mm:ss
and it reported error
Search job created, id: { "status" : 400, "id" : "3XLIO-JOUD7-CTUOQ", "code" : "searchjob.invalid.timestamp.from", "message" : "The 'from' field (Sep 25 2017 09:02:03) cont
ains an invalid time." } -
json
{
"query": "(_sourceName=*TC* OR _sourceName=*ET5* )and (_sourceName=*.txt) \n| parse regex \"(?<date_stamp>\\S+)\\s+(?<time_stamp>\\d{1,2}:\\d{2}:\\d{2}.\\d{3})\\s+(?<pid>\\S+)\\s+(?<tid>\\S+)\\s+(?<tag>\\S+)\\s+(?<application>\\S+)\\s+(?<message>.+)$\"\n| if ((message matches \"*Fail*\") or (message matches \"*fail*\") ,1,0) as fail\n| sum(fail) as FAIL \n| format(\"%.1f Failures\", FAIL) as errorString | fields errorString",
"from": "2017-09-03T22:00:00",
"to": "Sep 25 2017 09:02:03",
"timeZone": "EST"
}response
id: { "status" : 400, "id" : "IORBE-UGXBI-VVO7S", "code" : "searchjob.invalid.timestamp.to", "message" : "The 'to' field (Sep 25 2017 09:02:03) contains
an invalid time." } -
Katyayani,
I see - I'm sorry for the confusion, but there are separate requirements for the timestamp format for the Search API than what is listed in the article I gave you. The "from" and "to" parameters for the API call need to be formatted according to ISO 8601 format: https://help.sumologic.com/APIs/Search-Job-API/About-the-Search-Job-API#Query_parameters
Here are some other resources that may be helpful:
http://support.sas.com/documentation/cdl/en/lrdict/64316/HTML/default/viewer.htm#a003169814.htm
https://coderstoolbox.net/unixtimestamp/
In your POST body, you have the "from" parameter set to "2017-09-03T22:00:00" which is a valid ISO 8601 format. However, your "to" parameter is "Sep 25 2017 09:02:03" which is not valid. Try "2017-09-25T09:02:03" for "to" instead.
{
"query": "(_sourceName=*TC* OR _sourceName=*ET5* )and (_sourceName=*.txt) \n| parse regex \"(?<date_stamp>\\S+)\\s+(?<time_stamp>\\d{1,2}:\\d{2}:\\d{2}.\\d{3})\\s+(?<pid>\\S+)\\s+(?<tid>\\S+)\\s+(?<tag>\\S+)\\s+(?<application>\\S+)\\s+(?<message>.+)$\"\n| if ((message matches \"*Fail*\") or (message matches \"*fail*\") ,1,0) as fail\n| sum(fail) as FAIL \n| format(\"%.1f Failures\", FAIL) as errorString | fields errorString",
"from": "2017-09-03T22:00:00",
"to": "2017-09-25T09:02:03",
"timeZone": "EST"
}
Thanks,
Nick Wilson
Please sign in to leave a comment.
Comments
11 comments