In Sumo Logic, how to search for logs matching a regular expression?

Question

I'm trying to do a Sumo Logic search for logs matching the following regular expression:

"Authorization \d+ for story is not voided. Story not removed"

That is, the \d+ consists of one or more digits, but it doesn't matter what they are exactly.

Based on the search examples cheat sheet (https://help.sumologic.com/05Search/Search-Cheat-Sheets/General-Search-Examples-Cheat-Sheet), I've tried to use a * | parse regex pattern for this, but that doesn't work:

I get a 'No capture group found in regex' error. I'm actually not really interested in capturing the digits, though, just in matching the regular expression in my search. How can I achieve this?

score 9 · Answer 1 · answered Nov 30 '18 at 19:20

9

I managed to get it to work in two ways. Firstly, using the regular parse instead of parse regex:

* | parse "Authorization * for story is not voided. Story not removed" as id |
count by _sourceHost | sort by _count

or, when using a regular expression, it needs to be a named group:

* | parse regex "Authorization (?<id>\d+) for story is not voided. Story not removed" |
count by _sourceHost | sort by _count

answered Nov 30 '18 at 19:20

Kurt Peek

52,165
91
301
526

1

Glad you got it figured out. The reason it needs to be a named group is so that Sumo Logic knows what to name the output field of the group. – the-nick-wilson Nov 30 '18 at 20:52
What * as the first character before | means? I only saw | as a first character. – Michael Freidgeim Dec 21 '18 at 23:46

In Sumo Logic, how to search for logs matching a regular expression?

1 Answers1