Skip to end of banner
Go to start of banner

copySumo Logic Examples

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Querying by Common Fields

_source=BridgeServer2-Prod MetricsFilter | parse "\"status\":*," as status | where status >= 400 and status < 500 and status != 401

This query matches our 4XX alarm. All requests that had a 4XX error, except 401s (which are surprisingly common).

_source=BridgeServer2-Prod MetricsFilter | parse "\"status\":," as status | where status >= 400 and status < 500 and status != 401 | parse "\"remote_address\":\"\"" as ipAddress | count by ipAddress | order by _count desc

Groups the results by IP Address and orders them by most common IP Address.

_source=BridgeServer2-Prod MetricsFilter | parse "\"status\":," as status | where status >= 400 and status < 500 and status != 401 | parse "\"user_id\":\"\"" as userId | count by userId | order by _count desc

Groups the results by User ID and orders them by most common User ID.

_source=BridgeServer2-Prod MetricsFilter | parse "\"user_id\":\"\"" as userId nodrop

This simple query parses the userId from our MetricsFilter. The nodrop means that if the line doesn’t have a userId, we still preserve the line in our results, but the parsed userId shows up as blank.

Graphs

_source=BridgeServer2-Prod MetricsFilter | parse "\"elapsedMillis\":*}" as latency | num(latency) | timeslice 1h | pct(latency,50,95,99) by _timeslice | order by _timeslice asc

Shows hourly latency, 50th percentile (median), 95th percentile, and 99th perceptile. Works best if you use the Line Chart option.

Advanced Queries

_source=BridgeServer2-Prod MetricsFilter reauth "\"status\":200" "\"user_agent\":\"Blood Pressure/88" | parse "\"remote_address\":\"\"" as ipAddress | where [subquery: _source=BridgeServer2-Prod MetricsFilter reauth "\"status\":404" "\"user_agent\":\"Blood Pressure/88" | parse "\"remote_address\":\"\"" as ipAddress | count ipAddress | compose ipAddress] | count ipAddress | order by _count desc

Get all MetricsFilter entries for reauth calls that succeeded that also had failing reauth calls in the same time frame.

_source=BridgeServer2-Prod MetricsFilter | parse "\"request_id\":\"*\"" as requestId | where [subquery:_source=BridgeServer2-Prod error "broken pipe" | parse regex "(?<D>ERROR)" | parse "BridgeExceptionHandler - request: * " as requestId | compose requestId]

Get all MetricsFilter entries for all requests affected by broken pipe errors.

Nested queries. Also works with where ![subquery: ...].

  • No labels