Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sumologic: calculate a value from two log queries

Tags:

logging

sumologic

I have two log queries from the same stream that both return the number of log messages that match the search criteria.

First I want to get the number of incoming blobs as follows:

namespace=ns cluster=we container=project1
| where %"log.@m" matches "*About to handle incoming blob*"
| count as Incoming

Then I have another log query to get the number of successfully handled blobs from the same stream. The only difference is in the "matches" clause:

namespace=ns cluster=we container=project1
| where %"log.@m" matches "*successfully handled blob*"
| count as Success

I'd like to calculate the ratio, i.e. Success / Incoming, but I can't find the right way to achieve that. I've tested subqueries, the metrics explorer and some other ideas that Google provided but with no success. Any pointers are welcome.

like image 496
Andras Avatar asked Oct 27 '25 06:10

Andras

2 Answers

You can combine these two queries into one. You could do that by calculating whether the line matches your pattern and storing that information as a new field. Something like this (I haven't tested):

namespace=ns cluster=we container=project1
| %"log.@m" matches "*successfully handled blob*" as success

Or actually you would rather convert that to a numeric value (so it's easier to aggregate on):

namespace=ns cluster=we container=project1
| if (%"log.@m" matches "*successfully handled blob*", 1, 0) as success

and then with that you can aggregate:

...
| sum(success) as successCount, count as totalCount
| successCount / totalCount as successRatio

Disclaimer: I am currently employed by Sumo Logic

like image 167
Grzegorz Oledzki Avatar answered Oct 29 '25 21:10

Grzegorz Oledzki

Thanks Gregorz for your hint, it helped me find the correct response. In my case there are many different messages so I had to add an extra filter. Here's the final query I've come up with:

namespace=ns cluster=we container=project1
| where (%"log.@m" matches "*successfully handled 
blob*" or %"log.@m" matches "*About to handle incoming blob*")
| if (%"log.@m" matches "*successfully handled 
 blob*", 1, 0) as success
| sum(success) as successCount, count as totalCount
| (successCount / (totalCount - successCount)) * 100 as ratio
| format("%.0f",ratio) as successRatio
| fields successRatio
like image 40
Andras Avatar answered Oct 29 '25 23:10

Andras

Sign in to Comment

Related questions

Delta table statistics

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!