Appending multiple search results in one search

Comments

4 comments

  • Avatar
    Harishwer Selvakumar

    Hi Raja,

    I think the "if" operator can be of help here:

    https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/if-operator-and

    Please try this Query, if it helps:

    _sourceCategory=my/team/log/*
    | timeslice 1d
    | if (_raw contains "server_error","Contains Error","Doesn't Contain Error") as error_log
    | count by _timeslice, error_log
    | transpose row _timeslice column error_log

     You would see an output similar to below attached:

     

    Feel free to let us know if there is any clarification required.

    Thank you

    Regards
    Harishwer Selvakumar
    Customer Success Engineer - Sumo Logic

     

    0
    Comment actions Permalink
  • Avatar
    Rajasekhar Unichigid

    Hi Harishwer, Thank you for responding to me,

    If i run the query as the way you suggested, i get this output:

    But if just run the query :

    _sourceCategory=my/team/log/* "server_error"
    | timeslice 1d
    | count by _timeslice

    So, something is not right when we do that... also if i follow your approach with IF then i am not getting the total calls count [ which is sum of contains and not contains error]

    Your suggestions will help.

    -Raja

     

    0
    Comment actions Permalink
  • Avatar
    Harishwer Selvakumar

    Hi Raja,

    The filter based on search key-word is case-insensitive & an exact match, while the filter using "matches" operator is case-sensitive & non-exact match.

    Please try the below query as a work around:

    _sourceCategory=my/team/log/*
    | timeslice 1d
    | if (_raw matches /((?i)server_error)/ , "Contains Error" , "Doesn't Contain Error") as error_log
    | count by _timeslice, error_log
    | transpose row _timeslice column error_log

    Thank you

    Regards
    Harishwer Selvakumar
    Customer Success Engineer - Sumo Logic
    0
    Comment actions Permalink
  • Avatar
    Rajasekhar Unichigid

    Thanks Harishwer, this is helpful.

    -Raja

    0
    Comment actions Permalink

Please sign in to leave a comment.