Demonstrates how to use Sumo Logic query language

1. Sumo Filter Explanation.md

Take log message and parse as JSON (create new column jsonobj):

parse "*" as jsonobj

Take new jsonobj column and create a new column for the specified key in the JSON:

json field=jsonobj "my-obj-key"

Allow extracting multiple keys from the json object:

json field=jsonobj "event", "url" as event, url

Extract a regex match:

parse regex field=url "cps/asset/(?<asset_id>[^?]+)"

Requires the use of a named capturing group
(?<your_name>pattern_here)

Indicate case insensitivity with (?i):

(?<a_match>(?i)topics)

Parse contents out from the default message column:

_collector=Mozart | where component="mozart-routing" | where environment="int" | parse "HTTPD*" as Apache

You can use a different format as well:

(_collector=Mozart) environment = "live" component = "mozart-composition"

Sumo Logic.xq

_collector=Newsbeat AND read_feed | where environment = "live" | where component = "newsbeat-most-popular-renderer"

_collector=Mozart | where component="mozart-composition" | where environment="int" | parse "*" as jsonobj | json field=jsonobj "event" | where event="ComponentLoaded"

_collector= Newsbeat | parse "*" as jsonobj | json field=jsonobj "event", "url" as event, url | where component="newsbeat-article-renderer" | parse regex field=url "cps/asset/(?<asset_id>[^?]+)"

_collector= Newsbeat | parse "*" as jsonobj | json field=jsonobj "event", "url" as event, url | where component="newsbeat-article-renderer" | parse regex field=event "(?<a_match>(?i)topics)"