sumo breaks if there is a line doesn't match the pattern

Question

sumo breaks if there is a line doesn't match the pattern

tkt028 opened this issue 8 years ago · 5 comments

Hi,
Sumo doesn't work if in data file, there is a line doesn't match the pattern. For example, this one doesn't work

$ cat all-logs1.log-RAT  | sumo search "https" | sumo parse " (*) - info: * - - [*]" as timezone, ip, timestamp | sumo count ip | render

Then I have to add the search "info", it works now!

$ cat all-logs1.log-RAT  | sumo search "https" | sumo search "info" | sumo parse " (*) - info: * - - [*]" as timezone, ip, timestamp | sumo count ip | render

_Id  _count  ip                
0    7       ::1               
1    5       ::ffff:127.0.0.1  
2    1       14.175.18.253     
3    2       113.185.22.46     
4    1       14.187.67.26

I think it's a common sense to ignore the data line which doesn't match the input pattern.

Thank you very much!
Cheers,
Khon

Answer 1 · 2017-01-13T02:51:03.000Z

That would be reasonable. I'll add that.

…

On Thu, Jan 12, 2017, 6:48 PM Khon Trieu ***@***.***> wrote: Hi, Sumo doesn't work if in data file, there is a line doesn't match the pattern. For example, this one doesn't work $ cat all-logs1.log-RAT | sumo search "https" | sumo parse " (*) - info: * - - [*]" as timezone, ip, timestamp | sumo count ip | render Then I have to add the search "info", it works now! $ cat all-logs1.log-RAT | sumo search "https" | sumo search "info" | sumo parse " (*) - info: * - - [*]" as timezone, ip, timestamp | sumo count ip | render _Id _count ip 0 7 ::1 1 5 ::ffff:127.0.0.1 2 1 14.175.18.253 3 2 113.185.22.46 4 1 14.187.67.26 I think it's a common sense to ignore the data line which doesn't match the input pattern. Thank you very much! Cheers, Khon — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#17>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAeFZ83lxEL3Cpw_R9EeB16jamYJkzKpks5rRuXpgaJpZM4LieJD> .

Answer 2 · 2017-01-13T02:52:13.000Z

@rcoh: thank you very much. I really like sumoshell for the convenience it offers. Thanks in advance!

Answer 3 · 2017-01-21T03:29:25.000Z

I don't think the log file uploaded if you meant to upload it.

Answer 4 · 2017-01-21T05:32:55.000Z

@rcoh : I planned to upload the file but I have no idea why it failed. But you got the idea, so we can ignore that input. Thank you!

Answer 5 · 2017-02-10T08:02:49.000Z

I can't reproduce the issue. Are you sure it isn't just that it's taking much longer if you don't filter info? I created this file:

matches [a=b]
matches [a=c]
no match
matches [a=d]
no match
matches [a=d]
no match
matches [a=d]

And ran this query:

➜  sumoshell git:(master) ✗ cat example/issue17 | sumo search | sumo parse "[a=*]" as a | sumo count a | render
_Id   _count   a   
2     3        d   
0     1        b   
1     1        c

You can see the output above (correct)