API search jobs with queries involving parse
Hi, Is it possible to make advanced queries involving parse, and get well-formatted json through the search job API? I've been trying to initiate a search job with a query like "key word | parse "{\"event\":{\"id\":*," as id". This works in the UI but always returns an error when done through the search job API (I can get simple queries just fine). Is this functionality just not available, or is there a trick to formatting the query string (escaping characters, etc) that I need to think about? An example in python would be much appreciated. Thanks, Sepehr
-
Hi Sepehr- yep, you'll to encode the query, an easy way to test this is to take your query and encode it with something like this: http://meyerweb.com/eric/tools/dencoder/ for instance, a query like this in the GUI: _sourceCategory=build_github | parse "{\"action\":\"*\"," as tmp | count by tmp i can make a call like this: curl -v -u : "https://api.us2.sumologic.com/api/v1/logs/search?q=_sourceCategory%3Dbuild_github%20%7C%20parse%20%22%7B%5C%22action%5C%22%3A%5C%22*%5C%22%2C%22%20as%20tmp%20%7C%20count%20by%20tmp&from=2016-07-01T00:00:00&format=json" this basically tells sumo i want that query returned with anything included from july01 in a json output, retuning this: { "_count" : 6368, "tmp" : "added" }, { "_count" : 6417, "tmp" : "created" }, { "_count" : 6376, "tmp" : "synchronize" }, { "_count" : 6298, "tmp" : "removed" }, { "_count" : 6386, "tmp" : "assigned" }, { "_count" : 6388, "tmp" : "closed" }, { "_count" : 6461, "tmp" : "opened" }, { "_count" : 6482, "tmp" : "published" } reference here if you haven't seen it: https://github.com/SumoLogic/sumo-api-doc/wiki/Search-API Hope this helps!
Please sign in to leave a comment.
Comments
2 comments