Use logging date rather than receipt date

Follow

Peter Scalise

• March 06, 2019 16:11

I'm using the following query to create a stacked bar chart:

* | keyvalue auto
| timeslice 1h
| count by _timeslice, queryperformed
| transpose row _timeslice column queryperformed as *

 

The timeslice here is bound to the time sumo received the log message.

How can I use a date that is included in the log message rather than the receipt date?

0

• 

  Peter Scalise

  • March 06, 2019 19:56

  Figured it out...for some background, I'm collecting historic logs to find queries performed by various applications which all connect to the same API -- our team needed to see if any particular application was overloading the system.

  Log messages look like this:

  2019-03-06 17:49:47,822  datetimeofquery="2016-05-24 19:44:31+0000" queryperformed="<some query string>" programquerying="<some application name>"

   

  Here is the search with some [annotations]:

  *         [regular searching]
  | keyvalue "datetimeofquery" as datetimeofquery      [extract the date when query was run]
  | keyvalue "queryperformed" as queryperformed       [extract query]

  [read docs carefully, converting a date-string to a date requires a two stage process...]

  [first, the field datetimeofquery must be converted to milliseconds using parseDate()] 
  | parseDate(datetimeofquery, "yyyy-MM-dd HH:mm:ssZZZZ") as p

  [next, convert from milliseconds to an actual date using formatDate().  The date format dictates the width of buckets for the stacked bar chart created at the end.  I used a one hour bucket size, converting to a one minute bucket size would entail using the forma "yyyy-MM-dd HH:mm"]

  | formatDate(p, "yyyy-MM-dd HH") as formattedDate

  | count by formattedDate, queryperformed
  | transpose row formattedDate column queryperformed

   

   

   

  0

  Permalink

Please sign in to leave a comment.