Find long messages

Follow

James Stauffer

• September 19, 2017 16:05

How do I find long messages? The where statement below errors and I don't know the name of the whole message.

where length(message) > 100

0

• 

  Kevin Sumo

  • September 19, 2017 16:29

  The "message" field will need to be referenced as "_raw" which is the underlying metadata name. So the following should work to get you the messages larger than 100 bytes. 
  
  

  | where length(_raw) > 100

  
  Sumo Logic also provides a "_size" metadata for each message, which contains the byte size of a message. So you can also use the following to check for message size. 

  | where _size > 100

  
  More info on the available metadata for messages can be found in the following help. 
  
  https://help.sumologic.com/Search/Get-Started-with-Search/Search-Basics/Search-Metadata

  0

  Comment actions Permalink

Please sign in to leave a comment.