Modify Join to use on dashboards



  • Avatar
    Latimer Luis

    I'd first like to preface my response and state that my solution below is generally NOT recommended by Sumo Logic and will not actually work in all cases. What we have seen other customers do is perform an aggregation by _raw (the message field) before the join operator. Highly selective queries where you're returning less than a thousand results should work okay, but anything more and you'll likely run into issues. 

    Here's an example:

    (_sourceCategory="sourcecategory") AND (("Keyword1") OR "Keyword2")
    | count by _raw
    | join
    (parse field=_raw "*|*|pid:*:tid:*|*||||" as reference_id,timestamp,pid,tid,debug_mode,customerId,renewable) as t1, 
    (parse field=_raw "*|*|pid:*:tid:*|||*|*" as reference_id,timestamp,pid,tid,status_code,message) as t2
    on t1.reference_id=t2.reference_id
    | fields t1_reference_id,t1_customerId,t1_renewable,t2_reference_id,t2_status_code,t2_message
    | count_distinct(t2_reference_id)

    Comment actions Permalink
  • Avatar
    Elena Lenenko

    Thanks! Will try it out

    Comment actions Permalink

Please sign in to leave a comment.