TechQA.

Sumologic "full outer join" on transaction id

2k views Asked by At

Is there some way to get full outer join functionality with sumologic? The JOIN operator seems to give inner join

I have a logstream with stageA and stageB and I want to identify where there is a logline for stageA but not stageB for a shared identifier

{ id: '12324', stage: 'a' }
{ id: '12324', stage: 'b' }
{ id: '3467', stage: 'a' }

I would want results to only have id: '3467' since the other id has both stages.

sumologic
Original Q&A
1

There are 1 answers

0
smashbourne On BEST ANSWER

Here is the query that I ended up with

  1. parse id
  2. transactionize on id
  3. merge loglines on id within transaction
  4. filter for transactions where stage b doesnt exist

  5. exclude most recent loglines since transaction may span the query window

    ("id")
| parse "id: *," as id 
| transactionize id (merge id, _raw join with "\n\n") 
| where !(_raw matches "*stage: \'b\'*") and _messageTime < now() - 1000*60*4

Related Questions in SUMOLOGIC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions