sumo query searches - are they case sensitive?

Follow
Avatar
Sukhjinder Bhullar

I have a query as 

_collector=sample_1
_sourceCategory="sample_app"
error
//| parse regex "\[(?<level>[^\]]+)\]" nodrop
//| where levelor = "Error"
| timeslice | count by _timeslice

e.g. it gives me output as 1000 

but when i add error or Error , its output changes. so my question here is are these search keywords case sensitive ? 

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Kevin Keech2

    Keywords are not case sensitive; however, the matching operators will be case sensitive. When you say you add "error or Error" are you putting that literally in your query keywords like below?

    _collector=sample_1
    _sourceCategory="sample_app"
    (error or Error)

    Note: If you are doing the following this may return a different set of results. 

    _collector=sample_1
    _sourceCategory="sample_app"
    error or Error

    This is because the first conditions before the OR could be ignored and you would receive any messages that contain the string 'Error". Basically the above would be equal to the following.  

    (_collector=sample_1 AND _sourceCategory="sample_app" AND error)
    OR Error

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post