Reconcile ID's present in one source category but absent in another

Follow

James Daily

• April 30, 2020 13:32

We have two source categories: 

Category #1. Lists transmissions believed to be sent from one system
Category #2. Lists transmissions known to be received by the other system

They both include a common ID.

When things go well, all ID's in category #1 will also be found in category #2, usually on the same day.

If an ID ever appears in category #1 but then does NOT appear in category #2, then I want a query or report to highlight that fact, as it represents a transmission that failed to arrive at the destination.

Can this be done in Sumo Logic?

0

• 

  Kevin Sumo

  • May 09, 2020 01:53
  • Edited

  H James, 
  
  This is possible and there may be a couple of ways to do this. First would be using a subquery.  
  
  Example:

  _sourcecategory=<transmission_sent>
  | parse "id: *" as id
  | where !( [subquery:_sourcecategory=<transmission_received>| parse "id: *" as id
  | compose id])

  This would return all the "sent" ids that did not match with a "received" id.  You can also use an "if" statement with the subquery to show success or failed matches. 

  _sourcecategory=<transmission_sent>
  | parse "id: *" as id
  | if [subquery:_sourcecategory=<transmission_received>| parse "id: *" as id
  | compose id], "success", "failed") as status

  The other options may be to use a Transactionize operation or a Sessionize operation.

  1

  Comment actions Permalink
• 

  James Daily

  • May 11, 2020 13:29

  Thank you! I had begun to work out approach #1 but approach #2 is even better for my needs.

  0

  Comment actions Permalink

Please sign in to leave a comment.