Sumologic "full outer join" on transaction id

Question

Is there some way to get full outer join functionality with sumologic? The JOIN operator seems to give inner join

I have a logstream with stageA and stageB and I want to identify where there is a logline for stageA but not stageB for a shared identifier

{ id: '12324', stage: 'a' }
{ id: '12324', stage: 'b' }
{ id: '3467', stage: 'a' }

I would want results to only have id: '3467' since the other id has both stages.

score 4 · Accepted Answer · answered Jan 09 '17 at 18:54

Here is the query that I ended up with

parse id
transactionize on id
merge loglines on id within transaction
filter for transactions where stage b doesnt exist

exclude most recent loglines since transaction may span the query window

("id")
| parse "id: *," as id 
| transactionize id (merge id, _raw join with "\n\n") 
| where !(_raw matches "*stage: \'b\'*") and _messageTime < now() - 1000*60*4

Sumologic "full outer join" on transaction id

1 Answers1