My template parameters don't work
I want to set up a query where I first parse the logs to get the organizationId and then filter it based on organizationIds in the template . The query is something like this
((_sourceCategory=mySource*)
AND _sourcecategory = "mySourceCategory")
AND "myApplication""|parse "partitionKey=*," as OrgId | where OrgId matches {{organization}}
organization is my template parameter.
I tried 2 options :
1) using text entries . I set up all the organization values I want to be filtered on in the textPanel each on one line .. Something like below
org1
org2
org3
...
The query only yields results based on the value set as default for the parameter.
2) Using lookup . I first ran a query to retireve organizationIds and save it to a file . Then used the only the OrgId value from the file to map to the parameter Value .
This query also doesn't return results.
I am really stuck up here and can't proceed further . Running out of ideas . Any help is greatly appreciated.
Thanks
Debashish
-
Hi Debashish,
if you are using the 'where matches ...' syntax there are a few things that can trip you up:
1. it's case sensitive so where matches "FooABC" will not match organzition id "fooabc"
2. * is the wildcard if you don't have an exact match so if you are using part of an id make sure to use *value* as your parameter value.
It's also worth checking the parameter type of your template parameter - if it's string it will finish up in the query as "something", but you chose say keyword or any it will look different.
If I was doing this type of query I would do this:
((_sourceCategory=mySource*)
AND _sourcecategory = "mySourceCategory")// this is searched as a keyword very quickly in your search using sumo bloom filter and is not case sensitive
{{organization}}
AND "myApplication""|parse "partitionKey=*," as OrgId// this is matches regex. it's an expensive search but will perform well as the value above excluded most events already
// the i regular expression modifier makes it case insensitive matching.
| where OrgId matches /(?i){{organization}}/
-
my suggestions to help troubleshoot a dashboard with search templates like this would be:
1. make sure to hit return in the filter box after updating any values. the dashboard form does not have a submit button so changes only apply after you hit return. That could be why you are not seeing changes
2. refresh the form in your browser (e.g command R of mac) and try updating it again. Sometimes if you have been editing a dashboard you might need to refresh to get correct behaviour
3. if you have multiple panels and made a lot of changes the dashboard can get corrupted in rare cases. To help with that you are best to log a ticket with the helpdesk, but you can also export the dashboard config and check for example that all the panels reference the correct filter ids. https://help.sumologic.com/05Search/Library/Export-and-Import-Content-in-the-Library
-
I actually tried even opening and running the query in the new browser and it keeps neglecting all items in the list . But does accept the values that I provide as default. So it means it is taking my changes that I am doing in the Manage Parameter Settings pop up. But it is disregarding the items that I put in the list for TextEntry . I tried with a single item , a single item with an explicit Enter in the end to add a new line and multiple entries . In any case it is not taking the items from the list . Is there some bug with the latest sumo version for template parameters ?
-
Hi Debashish,
I'd suggest you log a support ticket https://support.sumologic.com/hc/en-us/requests/new
I'm sure our support team could identify where you are going wrong very quickly as you can enable them access to login and view your query (by sharing the link). I think it's probably a problem with the way your template / dashboard is setup and it's hard to identify the exact problem without logging in to your sumo instance.
Please sign in to leave a comment.
Comments
6 comments