dynamic field names with keyvalue?
Completed
Is it possible to dynamically generate column names from keyvalue data? That is, I don't want to explicitly list the keys to be extracted but instead just pick up anything in a given pattern. Our developers can add arbitrary key-value pairs for debugging purposes and it would be nice to pick those up without updating the sumologic search / field extraction.
So, instead of something like the following from the doc:
* | keyvalue regex "=(.*?)[,|}]" keys "serviceinfo.IP", "loggingcontext.region", "request.method" as ip, region, method
...just say something like:
* | keyvalue regex="(.*?)=(.*?)"
The key name would come from the first group, the value from the second. Is this possible and I haven't figured it out or is this not a supported feature for keyvalue? Is it possible using some other combination of operators?
Thanks
-
HI Jonathan,
Currently we do not have an auto parse for keyword and I'm not sure of a combination of other operators that could achieve this function. This is an existing open feature request, which you should vote/comment on via the below link. Hopefully we can get this bumped up a bit.
https://support.sumologic.com/entries/84875118-Automatically-extract-key-value-fields
-
Updating that it was completed. Here's a quote:
This feature was released on July 9, 2015.Please find reference to this within the following help under the "Auto-Extracting Key Value Pairs" section.
https://service.sumologic.com/help/Default.htm#Keyvalue_operator.htm
Sahir Azam
Please sign in to leave a comment.
Comments
4 comments