![]() The count function is also an operator in its own right and therefore can be used with or without the word by.Ĭount_frequent can return up to 100 results when used in dashboard panels. Only the word by is required to represent the group operator. The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed.Ĭount, count_distinct, and count_frequentĪggregating (group-by) functions are used in conjunction with the group operator and a field name. When using any grouping function, the word by is sufficient for representing the group operator. The group operator is used inĬonjunction with group-by functions. Using it, you can specify what to extract from an XML document using an XPath reference.Īggregating functions evaluate messages and place them into groups. The XML operator uses a subset of the XPath 1.0 specification to provide a way for you to parse fields from XML documents. _sourceCategory=colon | parse "] * *" as log_level, text | split text delim=':' extract 1 as user, 2 as account_id, 3 as session_id, 4 as result The split operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats. | parse "explainJsonPlan] *" as jsonobject | json field=jsonobject "sessionId" | json auto Because JSON supports both nested keys and arrays that contain ordered sequences of values, the Sumo Logic JSON operator allows you to extract single top-level fields, multiple fields, nested keys, and keys in arrays. The JSON operator is a search query language operator that allows you to extract values from JSON input. | csv_raw extract 1 as user, 2 as id, 3 as name It uses a comma as the default delimiter. It uses a comma as the default delimiter.csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. The csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. The keyvalue operator allows you to get values from a log message by specifying the key paired with each value. Typically, log files contain information that follow a key-value pair structure. Parse regex can be used, for example, to extract nested fields. The parse regex operator (also called the extract operator) enables users comfortable with regular expression syntax to extract more complex data from log lines. The parse operator, also called parse anchor, parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions. Sumo provides a number of ways to parse fields in your log messages. The following tables provide a list of available Sumo Logic parsers, aggregators, search operators, and mathematical expressions. The Log Operators cheat sheet provides a list of available parsers, aggregators, search operators, and mathematical expressions with links to full details for each item. For a step-by-step video and tutorial about creating queries, see the Quickstart Tutorial. For a complete list of Sumo Logic Search operators, download the PDF version.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |