• Colin Corstorphine

Brian,

I'm making the assumption that the A and B are parsed from the same field and thus mutually exclusive in each message.

Your query might look something like this:

| parse ____ as MyField

| if (MyField matches "A", 1, 0) as CountA

| if (MyField matches "B", 1, 0) as CountB

| sum(CountA) as SumA, sum(CountB) as SumB

| SumA/SumB as MyRatio

| where MyRatio>3

This will only return results when your threshold has been met.

You would then set your Scheduled Search similar to the following: • Worked great!!! Thanks for the help.  SumoLogic keeps surprising me.

• Colin,

Is there an easy way to accomplish the above (which is working great) but to also slice it by time. I'd like to know the ratio every 60 minutes, over 7 days.

Something like:

| parse ____ as MyField

| timeslice 60

| if (MyField matches "A", 1, 0) as CountA

| if (MyField matches "B", 1, 0) as CountB

| sum(CountA) as SumA, sum(CountB) as SumB

| SumA/SumB as MyRatio

| by _timeslice

I've tried a bunch of different variations, but I can't seem to grok the right concept.

• Give the following a try. This will tell the query to sum your records by the timeslice. The ratio should then be on the timesliced values

| parse ____ as MyField

| timeslice by 60m

| if (MyField matches "A", 1, 0) as CountA

| if (MyField matches "B", 1, 0) as CountB

| sum(CountA) as SumA, sum(CountB) as SumB by _timeslice

| SumA/SumB as MyRatio