Using sub-queries with conditions other than equals / match in Sumo
Hi, I have a query like the below example, but getting "Subquery failed with error: No definition found for function <(Long, Boolean)." on it because it doesn't know how to handle the time comparison. Is there any other way I can filter results of parent query based on the time being less than the one we're making available via compose from the subquery?
_sourceCategory="A"
| ...// extract fields
| first (_messagetime) by x, y
| where _first < ([subquery: _sourceName = "Log" _sourceCategory="B" "filtertext"
| sort by _messagetime desc | first(_messagetime) | compose _first])
| sort by _first
_first would be a _messagetime value, matching the subquery variable type
-
Subquery is a correlation method, matching values from the child and parent query, correlating on things like usernames, ip's, session id's etc. It allows us to find a subset of data based on the result of another query, matching the same values.
No < (or >) or = operation is possible here. Other correlation operators have the same constraint.
In this case you could try bringing in both datasets via OR:
(_sourceCategory="A" OR _sourceName = "Log" _sourceCategory="B" "filtertext" )
//parse fields for both sets of data (use bnodrop)
| first(_messagetime) by FIELDS, _sourceCategory
Please sign in to leave a comment.
Comments
1 comment