Log Aggregation
In SumoLogic Is it possible to do search for multiple logs and do some arithmetic on it like
("Log Message1 OR "Log Message2")
count("Log Message1") as msg1
count("Log Message2") as msg2
(msg1-msg2) as msg3
In splunk I used something like
| eval msg1=if(like(line, "%Log Message1%"), 1, 0)
| eval msg2=if(like(line, "%Log Message1%"), 1, 0)
| eval msg3=msg1-msg2
| stats sum(msg1) as msg1
| stats sum(msg2) as msg2
| stats sum(msg3) as msg3
Just recently moved to sumologic and I couldnt find an equvalent way to do this.
-
Official comment
Yes, you can do this in Sumo Logic, but you have to have all count statements in the same line, like this:
("Log Message1 OR "Log Message2")
count("Log Message1") as msg1, count("Log Message2") as msg2
(msg1-msg2) as msg3However, this only counts every single message for each field, if the field is blank it is also counted. To get around this, we can write our query like this:
("Log Message1 OR "Log Message2")
| if (isblank(Log Message1), 0, 1) as Log_Message1_total
| if (isblank(Log Message2), 0, 1) as Log_Message2_total
| sum(Log_Message1_total) as Log_Message1_count, sum(Log_Message2_total) as Log_Message2_countWhat the if statement does is to give a value of 1 if the field has a value otherwise a value of 0 if a field has no value. This way we only count the messages that have a value and ignore the messages that don't have a value for a given field.
For information on if statement, please go to https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/if-operator-and
For arithmetic equations in Sumo Logic, please go to https://help.sumologic.com/05Search/Search-Query-Language/Field-Expressions
And for the count operator, please go to https://help.sumologic.com/05Search/Search-Query-Language/aaGroup/count%2C-count-distinct%2C-and-count-frequent
Comment actions
Please sign in to leave a comment.
Comments
1 comment