0

I am passing the following request to the sumo logic application and receiving "unparsable query" as the output. What is the problem in this query? Am I missing some escape strings?

String searchJobId = sumoClient.createSearchJob(
   "_sourceCategory=na2_*_incomingaudit | parse regex \"^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3} (?<host>[^ ]+) (?<tenant>[^ ]+) (?<identity>[^ ]+) (?<correlation_id>[^ ]+) (?<win32ThreadId>[^ ]+) (?<elapsedtime>[^ ]+) (?<context>[^ ]+) (?<message>[^ ]+) (?<exception>[^ ]+) (?<request>[^ ]+) (?<response>[^ ]+)\" | parse regex \"app=(?<app>[^ ]+)\" | parse regex \"appv=(?<appversion>[^ ]+\") | where app in (\"ios-mobile\",\"android-mobile\") | count by tenant | where tenant<> \"-\" | sort by _count" ,        Long.toString(startTimestamp),
       Long.toString(endTimestamp),
        "UTC");

Note: This is updated with the below suggestions and couldn't make it work.

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Karthi
  • 708
  • 1
  • 19
  • 38
  • i'm not familiar with sumologic but i notice this section has a start quote but no end quote `parse regex \"appv=(?[^ ]+) ` – DHall Apr 17 '15 at 19:03
  • I added double quotes and getting the same issue. – Karthi Apr 17 '15 at 19:08
  • The missing end quote that @DHall found and the extra space that Dagriel found are the only two problems I see. Hopefully you tried fixing both at once? Just checking. Since those are the known issues, can you add the updated call to the post? – Brian Stephens Apr 17 '15 at 19:24
  • I have updated the request with the changes mentioned by Dhall and Dagriel @BrianStephens but still problem persists – Karthi Apr 17 '15 at 20:09

2 Answers2

2

Your closing quote is coming before the close of the capture group in the following parse statement of your query.

parse regex \"appv=(?<appversion>[^ ]+\")

Try to change to:

parse regex \"appv=(?<appversion>[^ ]+)\"
Kevin
  • 36
  • 2
1

You have an extra space at the beggining:

parse regex  \"^[0-  9]{
Dagriel
  • 574
  • 2
  • 12