Reputation: 2850
How do I create an aggregated table in sumologic?
How can I construct a sumologic query which would returns the below log items in an aggregated table which group ths uri, status_code and number of requests. For example: uri = /healthcheck, status_code = 200 and requests = 1.
<27>Sep 12 11:03:26 my-app/0.0.0/75a2b6b67d68[2908]: [Wed Sep 12 11:03:26 2018] 00.00.00.00:00000 [200]: /healthcheck
I'm specifiably unsure how to parse such a log, I tried this but it did not work:
_source="syslog-collector-tcp" "my-app"
| parse "[*] : *" as request
Upvotes: 0
Views: 485
Answers (1)
Reputation: 616
You probably need to use regex for this. It would look something like:
| parse regex "\[(?<status_code>[0-9]{3})\]: \/(?<uri>.*)$"
| count by status_code, uri
This will remove log lines that don't meet the criteria for the regex. If you want to keep the other lines, you'll need to add nodrop:
| parse regex "\[(?<status_code>[0-9]{3})\]: \/(?<uri>.*)$" nodrop
| count by status_code, uri
This is just an example - the exact regex for your logs may be slightly different depending on how they're formatted, but this was what I came up with for your example above.
Hope this helps!
Upvotes: 1
Related Questions
- How do I perform aggregate queries using SumoLogic APIs
- Is there a way in SumoLogic to store some data and use it in queries?
- Sumologic sum two aggregates in search query
- How can I sum up or collect the data on the same field?
- Aggregating Wildcards in Sumologic
- How to run an aggregate function like SUM on two columns in JPA and display their results?
- How to aggregate (sum) in Apache Cassandra?
- Aggregate tables doesn't work in Pentaho Mondrian with Saiku
- How do I perform Aggregation over the column qualifier field in Accumulo?
- FoxPro 9.0 Joining tables with aggregation