Count of $AggregateResultsJson & trigger on



  • Avatar
    Olaf Stein

    Hi Brendan,

    if I understand correctly the issue is not in your query, but the alerting condition. You have a threshold in the alert, meaning the search only returns something if the alert condition is true. When scheduling the search, there are 2 settings you need to add:

    1) Alert condition: If the following condition is met (instead of every time the search is complete)

    2) Number of Results: Greater than 0

    This will ensure that you only post to slack if the search actually returns a result.

    Let me know if this does not answer this question.



    Comment actions Permalink
  • Avatar
    andrew fowler

    No. The question was about how many entries are in aggregations, not the raw search result count. To put it in a another way, Webhooks have a "RawResultsJson" and a "AggregateResultsJson", but only one of them has a corresponding count ("NumRawResults").

    Comment actions Permalink
  • Avatar
    Nick Wilson

    Hi Andrew,

    I think I understand what you're getting at here, and I hope this feature request would fix what you're trying to solve:

    This will basically allow you to include specific fields in the webhook payload, so you could, for example, report your count field in that payload.

    Is that what you're looking for? If you would like, we are doing a beta on this feature right now and looking for customers to test it out.

    Customer Success, Sumo Logic

    Comment actions Permalink
  • Avatar
    Jason Ziaja

    Having a $NumAggregateResults is also something I found needing today when working on a new Sumo -> Slack webhook.  For my use case, the query I'm using aggregates specific ids found in our logs over the past 24 hours.  The message I'd like to send to Slack should include the total row count of the aggregated results, not the number of individual messages.

    To Nick's point, having the ability to access specific fields in the aggregation would definitely be desirable as well.  I'd have to play around with that feature to see if it could be a good alternative to having something like $NumAggregateResults.



    Comment actions Permalink

Please sign in to leave a comment.