Sumo Logic count various errors over time

Question

I am trying to create a view of various kinds of errors over time, to display as stacked bar chart or stacked area. Each kind of error can be identified by matching a string (e.g., "No endpoint listening", "timed out", "User not found"), but these strings could be anywhere within the message. I want something like this non-working pseudocode:

_sourceCategory = XXX AND error 
| (message contains "No endpoint listening" ? "NoEndpointError" : null) as ErrorType
| (message contains "timed out" ? "TimeoutError " : null) as ErrorType
....
| timeslice 10m
| count by ErrorType, _timeslice

How can I get a collation like this?

score 3 · Accepted Answer · answered Mar 10 '21 at 05:13

Something like this should do

 _sourceCategory=XX error 
| if (_raw matches "*Got error while*", "Error1",   
  if (_raw matches "*TimeoutException*", "Error2",     
  if (_raw matches "*AvroRuntimeException*", "Error3", "Error4")    
  )) as ErrorCode  
| timeslice 10m
| count by ErrorCode, _timeslice
| transpose row _timeslice column ErrorCode

Sumo Logic count various errors over time

1 Answers1