possible to include external function inside where clause?

Follow

Hirak Chatterjee

• October 19, 2020 16:23
• Edited

Hi,

I have the following search, which extracts java exceptions from logs. There are some "known" exceptions which we are filtering out from results using where clause.

===

(" ERROR " or "Exception")
|parse "*.*Exception:*\n" as blah,Exception,Msg
|where !(Exception matches "*IntegrationAPI*") and !(Msg matches "*Required parameter DriverLicense* is null*") and !(Exception matches "*InsufficientPermission*") and !(Exception matches "*RequiredField*")

===

As you can understand, the where clause will grow over time. So the search box will take up most of the screen real estate.

I was wondering if we can have the where conditions in a separate function / search / or even a separate file? The external function will contain all the matching conditions and will return TRUE/FALSE.

Then we can simply invoke the function in the where clause and de-couple it from the original search.

Is something like that possible? Or any work arounds you could think of?

TIA.

 

0

• 

  Shobhit Garg

  • October 26, 2020 05:17

  Hi Hirak,

   

  You can use the lookup tables and lookup operator to achieve it.

  You can create two separate lookups of "exception" and "msg". Exception_lookup and msg_lookup are fields in the lookup file that you will create for "exception" and "msg" respectively

  | lookup Exception_lookup from https://company.com/userTable.csv on exception=Exception_lookup

  | isnull(Exception_lookup,"ignore") as Exception_lookup

  | where Exception_lookup = "ignore"

  By default lookup has an OUTER JOIN, so it will show NULL for those exception which are not there in lookup file and we are interested in them, so we replace NULL with "ignore" and then we put a where condition to only include those records which do not exist in lookup file. That means we are interested in "ignore" only.

  The similar thing you can do for "msg"

  Below are some important related documentation link

  1. Classic method of creating lookup file

  https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/lookup-classic

  2. Newly introduced Lookup tables, with more functionalities.

  https://help.sumologic.com/05Search/Lookup_Tables/01_Create_a_Lookup_Table

  3. Lookup operator

  https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/lookup

   

  Hope this helps

  Regards,

  Shobhit

  1

  Comment actions Permalink
• 

  Shobhit Garg

  • October 26, 2020 09:50

  Hi Hirak,

  Little modification in the query

   

  | lookup Exception_lookup from https://company.com/userTable.csv on exception=Exception_lookup

  | if (isNull(Exception_lookup), "ignore", Exception_lookup) as Exception_lookup

  | where Exception_lookup = "ignore"

   

  Regards,

  Shobhit

  0

  Comment actions Permalink
• 

  Hirak Chatterjee

  • October 26, 2020 13:15

  Thank you Shobhit.

  0

  Comment actions Permalink

Please sign in to leave a comment.