I'm new to SumoLogic and have been struggling to figure out this query. I have two separate logs, both logs contain a correlation id (CID) that is extracted as a field. The logs contain different data and only this CID can link them. I basically want to do something like this:
[Get me all log message from LOG_A containing the word "keyword"] => resultsA
[Take resultsA and combine with LOG_B where resultsA.cid= LOG_B.cid]
So effectively, I want to filter down one set of data, and then when I've got a minimal set I want to use my correlation ID to pull all related log messages from other log files. This involves pulling data from multiple sources. By extension, I may also want to apply filters to multiple data sets in different ways (perhaps LOG_A contains client info I want to filter on, and LOG_B contains an error message I want to filter on, and I want to see those errors for a specific client). How do I do this? I've tried playing around with joining data and other combinations but I'm not getting anywhere. It appears that a query must specify all the source categories at the top and then filter down from there, but I want to bring more data in farther down in the operation.
Please sign in to leave a comment.