Chart Log Ingestion by Logger

Follow
Avatar
Nathan Norman

Hello, 

I'm attempting to make a query similar to this one: 

_index=sumologic_volume
| where _sourceCategory="sourcename_volume"
| parse regex "(?<sourcename>\"[^\"]+\")\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi
| timeslice 1h
| bytes/1024/1024/1024 as gbytes| sum(gbytes) as gbytes by sourcename, _timeslice
| where sourcename contains "myproductname"
| transpose row _timeslice column sourcename

This query generates a really useful chart showing the ingested log volume in gbytes broken down by sourcename.

I'm trying to get a bit more granular and figure out which loggers in my application are responsible for the log volume in a given timeframe. 

Here is my attempt so far:

(_index=my_index AND _sourceName="mysource") | parse "* * [*] * * [* *] - *" as (day, time, thread, log_level, logger, trace_id, span_id, message) | timeslice 1h | count by logger, _timeslice | sort by _count

This is not giving me the results I'm trying to get. What I really want to see is a chart of the top 10 loggers by number of log messages logged per logger over time. The count_frequent operator seems close to giving me what I want, but I can't figure out how to make that operator group by timeslice. 

Thanks for any help or pointers.

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Harishwer Selvakumar

    Hi Nathan,

    Can you try either of the three queries to see if it fits your requirement?

    _index=my_index AND _sourceName="mysource"
    | parse "* * [*] * * [* *] - *" as day, time, thread, log_level, logger, trace_id, span_id, message
    | timeslice 1h
    | count by logger, _timeslice
    | top 10 logger, _timeslice by _count

    OR

    _index=my_index AND _sourceName="mysource"
    | parse "* * [*] * * [* *] - *" as day, time, thread, log_level, logger, trace_id, span_id, message
    | timeslice 1h
    | count by logger, _timeslice
    | transpose row _timeslice column logger

    OR

    _index=my_index AND _sourceName="mysource"
    | parse "* * [*] * * [* *] - *" as day, time, thread, log_level, logger, trace_id, span_id, message
    | timeslice 1h
    | count by logger, _timeslice
    | top 300 logger, _timeslice by _count
    | transpose row _timeslice column logger

    Thank you

    Regards
    Harishwer Selvakumar
    Customer Success Engineer - Sumo Logic
     
    1
    Comment actions Permalink
  • Avatar
    Nathan Norman

    Harishwer Selvakumar thank you very much for your response. 

    The second two queries are exactly what I was looking for. This will be very helpful for my team to figure out where our excess log volume is originating from. Thanks again.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post