Use logging date rather than receipt date
I'm using the following query to create a stacked bar chart:
* | keyvalue auto
| timeslice 1h
| count by _timeslice, queryperformed
| transpose row _timeslice column queryperformed as *
The timeslice here is bound to the time sumo received the log message.
How can I use a date that is included in the log message rather than the receipt date?
-
Figured it out...for some background, I'm collecting historic logs to find queries performed by various applications which all connect to the same API -- our team needed to see if any particular application was overloading the system.
Log messages look like this:
2019-03-06 17:49:47,822 datetimeofquery="2016-05-24 19:44:31+0000" queryperformed="<some query string>" programquerying="<some application name>"
Here is the search with some [annotations]:
* [regular searching]
| keyvalue "datetimeofquery" as datetimeofquery [extract the date when query was run]
| keyvalue "queryperformed" as queryperformed [extract query][read docs carefully, converting a date-string to a date requires a two stage process...]
[first, the field datetimeofquery must be converted to milliseconds using parseDate()]
| parseDate(datetimeofquery, "yyyy-MM-dd HH:mm:ssZZZZ") as p[next, convert from milliseconds to an actual date using formatDate(). The date format dictates the width of buckets for the stacked bar chart created at the end. I used a one hour bucket size, converting to a one minute bucket size would entail using the forma "yyyy-MM-dd HH:mm"]
| formatDate(p, "yyyy-MM-dd HH") as formattedDate
| count by formattedDate, queryperformed
| transpose row formattedDate column queryperformed
Please sign in to leave a comment.
Comments
2 comments