if then logic or multiple searches

Follow

Patrick Travers

• September 29, 2020 14:45

I'm working on a search for our MS SQL that looks for blocks.  The easiest thing (for me) is to just setup separate alerts.  I'm also playing around the idea of using one big search to be alerted on a SQL block.

1. would this be the best approach for this?  I'm a little worried that I would get an email blast of a few emails with different kinds of blocks with individual alerts.

2. I'm stuck also.  I'm not a developer by trade and I can't figure out how to get each alert into it's own separate message from here.  I know i'm close but as far as I'm aware there is no "if/then" in sumo.

((_sourceCategory="{{CatHere}}" and _collector="{{SQL SERVER HERE}}"))
| parse "{blocking_session_id:*}" as Block_Session
| parse "{wait_type:*}" as Wait_Type
| where Block_Session > 0
| if(Wait_Type matches "LCK_M_X",1,0) as exclusive_lock
| if(Wait_Type matches "LCK_M_SCH_S",1,0) as Schema_Share_lock
| if(Wait_Type matches "PAGELATCH_UP",1,0) as Update_Latch
| if(Wait_Type matches "LCK_M_U",1,0) as Update_lock
| if(Wait_Type matches "LCK_M_SCH_M",1,0) as Schema_Modify
| if(Wait_Type matches "LCK_M_IS",1,0) as Intent_Shared
| if(Wait_Type matches "LCK_M_S",1,0) as Shared_Lock
| if(Wait_Type matches "PAGELATCH_EX",1,0) as Exclusive_Latch

Thanks for the info and help!

 

0

• 

  Jorge Silva

  • October 05, 2020 22:42
  • Edited

  Hello Patrick,

  1. would this be the best approach for this?  I'm a little worried that I would get an email blast of a few emails with different kinds of blocks with individual alerts.

  You can set up separate alerts or combine them all into a single search. Whichever way works best for you. If you combined them all you should not be receiving an email blast of a few emails with different kinds of blocks. You will only get a single email every time the condition of the search is met. 

  2. I'm stuck also.  I'm not a developer by trade and I can't figure out how to get each alert into it's own separate message from here.  I know i'm close but as far as I'm aware there is no "if/then" in sumo.

  The Sumo Logic "IF" operator can do an if-else operation. Looking at your query, it is read as if "Wait_Type" matches "LCK_M_X" then value if true equals "1" else value if false = "0"
  
  You can also combine your "IF" statements into a nested one. For more information about this, please go to https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/if-operator-and.
  
  If you would like assistance building your query, then please open a ticket with support by going to support.sumologic.com or emailing support@sumologic.com.

  0

  Comment actions Permalink

Please sign in to leave a comment.