The Concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field. (denied OR rejected AND _sourcecategory=firewall CIDR notations specify the routing prefix of IP addresses. The CIDR operator allows you to leverage Classless Inter-Domain Routing (CIDS) notations to analyze IP network traffic in order to narrow analysis to specific subnets. Use the cat operator to view the contents of a lookup table. Use the bin operator to sort results in a histogram. The base64Encode operator takes an ASCII string and converts it to a base64 string. | base64Decode("aHR0cDovL2NvZGVjLmFwYWNoZS5vcmcvY29tbW1vbnM=") as V The base64Decode operator takes a base64 string and converts it to an ASCII string. Backshift can be used with rollingstd, smooth, or any other operators whose results could be affected by spikes of data (where a spike could possibly throw off future results).Ĭan be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. The backshift operator compares values as they change over time. | lookup organization, asn from asn://default on ip = ip The most_recent and least_recent operators, used with the withtime operator, allow you to order data from newest to oldest. Use the min and max functions to find the smallest or largest value in a set of values. Not supported in Live Dashboards or any continuous query. | count_distinct(referrer) by status_codeįirst finds the earliest occurrence in search results, and last finds the result that follows all others, based on the sort order for the query. The count function is also an operator in its own right and therefore can be used with or without the word by.Ĭount_frequent can return up to 100 results when used in dashboard panels. Only the word by is required to represent the group operator. The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed.Ĭount, count_distinct, and count_frequentĪggregating (group-by) functions are used in conjunction with the group operator and a field name. When using any grouping function, the word by is sufficient for representing the group operator.Īn aggregation function cannot take another function (such as a math function). The group operator is used in conjunction with group-by functions. | parse xml "/ af functions evaluate messages and place them into groups. Using it, you can specify what to extract from an XML document using an XPath reference. The XML operator uses a subset of the XPath 1.0 specification to provide a way for you to parse fields from XML documents.
| split text delim=':' extract 1 as user, 2 as account_id, 3 as session_id, 4 as result The split operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats. | parse "explainJsonPlan] *" as jsonobject
Because JSON supports both nested keys and arrays that contain ordered sequences of values, the Sumo Logic JSON operator allows you to extract single top-level fields, multiple fields, nested keys, and keys in arrays. The JSON operator is a search query language operator that allows you to extract values from JSON input. | csv _raw extract 1 as user, 2 as id, 3 as name It uses a comma as the default delimiter. It uses a comma as the default delimiter.csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. The csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. The keyvalue operator allows you to get values from a log message by specifying the key paired with each value. Typically, log files contain information that follow a key-value pair structure. Parse regex can be used, for example, to extract nested fields. The parse regex operator (also called the extract operator) enables users comfortable with regular expression syntax to extract more complex data from log lines.
The parse operator, also called parse anchor, parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions. Sumo Logic provides several ways to parse fields in your log messages.
0 kommentar(er)
