Including a raw message in search results

Follow

SIEM ADM

• September 11, 2018 11:11

I need to write a query that will return one raw message per aggregate line in the findings. It only has to be one sample pulled from the total raw messages found. Is this possible? 

0

• 

  Piotr Woch

  • September 11, 2018 15:33

  Hello!

  I would recommend reviewing the documentation and trying out using "transactionize" operator (https://help.sumologic.com/Search/Search-Query-Language/Transaction-Analytics/Transactionize-operator), whereas you can achieve the effect of pulling a single log line from a set by combining the "transactionize" operator with "merge" operator (https://help.sumologic.com/Search/Search-Query-Language/Transaction-Analytics/Merge-Operator). The second link will give you some examples of how these operators can be used together.

  I hope this helps, please let me know if you have further questions.

  Best regards,

  Peter Woch

  0

  Permalink

Please sign in to leave a comment.