Count of $AggregateResultsJson & trigger on

Follow
Avatar
Brendan Grant

I'm attempting to build a scheduled search based on certain aggregate values, something like the following:

 

"Specific Search Criteria" | *filter based on environment* | parse "FooId:* " as _foo | count(_foo) by _foo | sort _count | where _count > *some_threshold*

 

This query works great for viewing a list of Foo's which have occurred more than X times in the search window, which ends up being accessible via the $AggregateResultsJson variable. I can fire this off via the Webhook to Slack just fine, the problem is that I want to trigger it only when the count of $AggregateResultsJson is say, non zero... and even be able to display that value in the Slack message.

$NumRawResults contains the number of messages processed prior to my filtering, but there seems to be nothing like a $NumAggregateResults.

Is there another way that I am missing?

0

Comments

5 comments

Sort by Date Votes
  • Avatar
    andrew fowler

    No. The question was about how many entries are in aggregations, not the raw search result count. To put it in a another way, Webhooks have a "RawResultsJson" and a "AggregateResultsJson", but only one of them has a corresponding count ("NumRawResults").

    0
    Comment actions Permalink
  • Avatar
    Nick Wilson

    Hi Andrew,

    I think I understand what you're getting at here, and I hope this feature request would fix what you're trying to solve: https://sumologic.aha.io/ideas/SL-I-1856

    This will basically allow you to include specific fields in the webhook payload, so you could, for example, report your count field in that payload.

    Is that what you're looking for? If you would like, we are doing a beta on this feature right now and looking for customers to test it out.

    Thanks,
    Nick
    Customer Success, Sumo Logic

    0
    Comment actions Permalink
  • Avatar
    Jason Ziaja

    Having a $NumAggregateResults is also something I found needing today when working on a new Sumo -> Slack webhook.  For my use case, the query I'm using aggregates specific ids found in our logs over the past 24 hours.  The message I'd like to send to Slack should include the total row count of the aggregated results, not the number of individual messages.

    To Nick's point, having the ability to access specific fields in the aggregation would definitely be desirable as well.  I'd have to play around with that feature to see if it could be a good alternative to having something like $NumAggregateResults.

    Thanks!

    Jason

    0
    Comment actions Permalink
  • Avatar
    Greg Dennis

    Has any progress been made on this?  It's been three years.  I would also like to send the number of aggregate results.

    Also, that "aha" link is authenticated, and I (and probably others) can't access it to see if there was any workaround or solution contained within.

    0
    Comment actions Permalink
  • Avatar
    Olaf Stein

    Hi Brendan,

    if I understand correctly the issue is not in your query, but the alerting condition. You have a threshold in the alert, meaning the search only returns something if the alert condition is true. When scheduling the search, there are 2 settings you need to add:

    1) Alert condition: If the following condition is met (instead of every time the search is complete)

    2) Number of Results: Greater than 0

    This will ensure that you only post to slack if the search actually returns a result.

    Let me know if this does not answer this question.

    Thanks

    Olaf

    -1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post