0

I would like to compare dates using a sumo logic query. Those dates are sent once per day (So sumologic log receive dates are not useful in this case) and the field is called "date". That field contains the exact date of the triggered event following this format:

date:"YYYY-MM-DDTHH:MM:SSZ"

In order to have visibility about the difference between the current events and the last 24hs events I think the first step is to get yesterday's events; however, I don't know how to do that comparison. I have the following:

| json "field1", "date" as field1, date
| where field1 matches "MATCH_RULE" and date <= 2
| count by field1

So I expect to get access to the yesterday events. As a next step, I will make a difference between that events number and the current ones.

Michael
  • 3,510
  • 1
  • 11
  • 23
nicg
  • 29
  • 2
  • It's hard to answer if we don't know how is your data sent to Sumo. I.e. typically people send the current data (i.e. the data is sent as soon as it's "produced"). Your setup seems different - some kind of periodic sending of past data. So the answer all depends on how this periodic sending of past data looks like. – Grzegorz Oledzki Oct 27 '22 at 15:02
  • Yes. I know the logs are commonly sent when those are produced. However, the behavior of the integration between sumo and the other tool (which generates the data) is not the better. So for now, we have this configuration in place. Answering your question, the data is pulled every day at 6 am. That bundle of data contains multiple fields and in particular, the "date" field that I want to use. – nicg Oct 27 '22 at 15:45
  • Then most likely you want to run a query for -24h and group by some identifiers. – Grzegorz Oledzki Oct 27 '22 at 19:56

0 Answers0