using CAT in a subquery

Follow

Alex Pooley

• September 11, 2018 08:54

Hi, it doesn't look like a subquery can use the cat command.  This would be useful as I am trying to the following:

 

• I have a saved file containing a list of domains and the department of the business they belong to
• I want to use a parameter to allow the user of a dashboard to select the department
• Using this parameter I go away and find which domains match the department (by using cat on the saved file)
• the subquery returns the domains to a parent query which goes off and gets all the data, the department field is already FER so it would be fast

This doesn't work, it returns com.sumologic.query.language.ast.Cat cannot be cast to com.sumologic.query.language.ast.search.SearchExpression

The only way I have of doing this at the moment is pulling all of the data, doing a lookup to see which department a domain belongs to and then using a where clause.  This is too slow and times out because of the overall volume of logs.

This is what I am trying:

[subquery:
cat /shared/dept/deptlookup
| where dept={{dept}}
| fields domain
| sort by domain
| compose domain keywords
]

Any ideas?

0

• 

  Alex Pooley

  • September 11, 2018 09:02

  Lookup only supports returning one row, where as I need to return all rows that match the dept, hence using cat.

  0

  Comment actions Permalink
• 

  Alex Pooley

  • September 11, 2018 09:16

  I guess one option is a very long label value pairs string in the parameter but I would have to duplicate this across many panels so updating would be a nightmare.

  0

  Comment actions Permalink

Please sign in to leave a comment.