2

In SumoLogic, is it possible to search on only text at the beginning of the log line?

For example, I'd like to match:

error : omg, something is on fire!

but not:

warning : smoke detected! probably just bob burning the popcorn-- no error :)

I've tried ^error: and parse "^error:", but neither seems to match.

Scott Wegner
  • 7,263
  • 2
  • 39
  • 55

1 Answers1

0

The Parse Regex or Extract documentation states:

The Parse Regex operator (also called the extract operator) enables users comfortable with regular expression syntax to extract more complex data from log lines. Parse regex can be used, for example, to extract nested fields.

The above query can be specified using: parse regex "^(?<errorlevel>error: )"

Assuming that the regex query is more expensive than free-text, you could pre-filter using: "error: " | parse regex "^(?<errorlevel>error: )".

Scott Wegner
  • 7,263
  • 2
  • 39
  • 55
  • Please note that for some reason, currently (almost 8 years later) that `parse regex "^(?error: )"` doesn't work for me. But what does work is `parse regex "(?.*?)^error: "`, for some reason. (The `^` seems optional, but I keep it in there for clarity. Note that https://help-opensource.sumologic.com/docs/search/search-query-language/parse-operators/parse-variable-patterns-using-regex/#rules says "Each expression always starts matching from the beginning of the message string.") – MarnixKlooster ReinstateMonica Nov 03 '22 at 16:12