If logs are missing return new field

Follow

Team Romania

• August 01, 2018 08:01

Hi Sumologic Community,

I'm working on a dashboard and when logs are missing for my aggregate query I'd like to display a null value or 0, how can I achieve this with the logs query?

I've tried multiple queries with no luck.

Id'd like something like 

_collector=test AND _sourcecategory_test AND service_name="something"

max(response_time) | if (isNull(response_time), "Null",response_time) as latency 

So what I need is to display the maximum response time if there are logs else return a Null or 0 value.This issue is that there are missing logs on the timeframe and I don't have any fields.

Can someone suggest how to resolve this? 

Thanks,

Istvan 

0

• Official comment

  

  Nick Wilson

  • August 01, 2018 17:38

  Hi Istvan,

  I recommend moving your scope down to another "if" statement so you can flag it and max by that flag. Something like:

  *
  | if(_collector="test" AND _sourcecategory="test" AND service_name="something", 1, 0) as scope
  | max(response_time) by scope
  | if(isNull(_max), 0, _max) as latency
  | fields latency

  This is the concept for the approach I would take. Let me know if that helps!

  Thanks,
  Nick
  Customer Success, Sumo Logic

  Comment actions Permalink

Please sign in to leave a comment.