How do you record 0 (zero) results in a Sumo Logic log search?
I'm trying to produce a dashboard for quick identification of system issues using Sumo Logic.
We currently log specific strings in our system when certain code paths are executed. For example:
def get_alerts():
log.info(event=LogEvents.GET_ALERTS_STARTED)
...
In the case of potentially unwanted system behaviour we log inside blocks of business logic:
...
elif is_last_import_is_after_start_of_new_import_interval:
log.warn(
event=LogEvents.POTENTIAL_IMPORT_DUPLICATION,
reason="last import occured after the start of the new import interval",
)
...
The problem is that when there are no potentially unwanted system behaviours (such as no instances of POTENTIAL_IMPORT_DUPLICATION), the log line is never printed, so my query fails.
The query I'm using is as follows:
_sourceCategory=infosec/edr/logs/prod
| json "message" as msg
| json field=msg "message"
| count(message) by message
| if (message matches "POTENTIAL_IMPORT_DUPLICATION", _count, 0)
The final line here (if (message matches "POTENTIAL_IMPORT_DUPLICATION", _count, 0)), is my latest attempt to output 0 to the results table if no log messages match that string. Instead, the results table just fails to include the string:
Can anyone help me with getting an additional row in this table that would potentially read:
| message | _count |
|---|---|
| POTENTIAL_IMPORT_DUPLICATION | 0 |
You need to use the | fillmissing operator.
(Disclaimer: I am currently employed by Sumo Logic)
- Why am I getting "No SLF4J Providers found" in my Scala + AKKA Jar?
- How to configure FastAPI logging so that it works both with Uvicorn locally and in production?
- How to write to a file, using the logging Python module?
- Why does redefining Write-Progress in PowerShell break the command?
- Mosquitto log files not generating
- How to Customize the time format for Python logging?
- C# NLog: Why doesn't it produce output?
- spring boot command line run not using logback-spring.xml
- How to make Rails.logger.debug print hash more readable
- How to disable the logging of Uvicorn?
- How do I get my FastAPI application's console log in JSON format with a different structure and different fields?
- Why logs appear to be parsed correctly by Fluent-Bit but don't show up in Opensearch-Dashboards?
- When to use the different log levels
- Can filebeat dissect a log line with spaces?
- Get spring framework logging in wildfly
- adding user ip and user id to logfile in flask application
- python - Which is the better way to enable/disable logging?
- Extract the extra fields in logging call in log formatter
- How to rotate logs in laravel using logrotate?
- Configuring different Loggers in NLog to output in different log-levels, but to the same target
- I want to display the file Name in the log statement
- logback - show only errors in catalina.out
- Logging All HTTP Request and Response from done through an HTTP Client
- Is it possible to change colors in serilog?
- Redirect Qemu console to a file or the host terminal?
- Movesense data logger for ECG
- Git log output to XML, JSON, or YAML?
- logback: Two appenders, multiple loggers, different levels
- How to print the number of observations dropped by tidyverse's functions like filter or drop_na?
- Logger message + Serilog = performance issues?