Sumo Equivalent of GROUP_CONCAT?
Greetings! I have a question about combining multiple log entries into ONE log entry. The use case is that we are using a suite of software which truncates all logging to 1024 characters. We have many log lines (exception traces, etc) which exceed this, so huge portions of our logs never make it to Sumo. I have written a parser in our application to take such log lines and "chunk" them into individual log entries smaller than 1024 characters. This way, all data at least arrives in Sumo. In each entry, there is now also a chunk ID to identify which logs belong as one. I have been trying to use various combination s of "sessionize", "join" and "trace", etc, to try to re-assemble the logs on the Sumo side, but have been unable to figure this out. Example (not really truncating at 1024, for brevity). The logs would arrive in sumo as: CHUNK_ID="abcdef" LEVEL="INFO" ONE="Some value" CHUNK_ID="abcdef" USER_ID="123" TWO="Another value" CHUNK_ID="abcdef" THREE="Final value" I am looking to get Sumo to produce the following result: LEVEL="INFO" ONE="Some value" USER_ID="123" TWO="Another value" THREE="Final value" In SQL terms, I am looking for the equivalent of "GROUP_CONCAT()" capabilities. Thanks in advance to anyone who can help me out!
-
I'm checking with the team, but in the meantime I assume you've gone through the aggregation functions - Here's a quick cheat sheet just in case. http://help.sumologic.com/Search/Search_Cheat_Sheets/Search_Operators_Cheat_Sheet -
Jim, you can also use the transactionize operator to merge messages back together: http://help.sumologic.com/Search/Search_Query_Language/Transaction_Analytics/Transactionize_operator _sourceCategory=data | parse "CHUNK_ID=\"*\"" as chunk_id | transactionize chunk_id (merger _raw)
Please sign in to leave a comment.
Comments
2 comments