I’ve gone through the sumologic documentation but I can’t figure out how do I extract map key values from sumo logic. so I’ve a json that looks like this
{
"eventType": "DummyEvent",
"subEventType": {
"subEventType1": 100,
"subEventType2": 200,
"subEventType3": 200,
}
}
And I published this json as logData
key. so I get the exact json, eventType and subEventType in 3 columns when I query sumologic with
_sourcecategory = "event-extractor-dev" "Event Metadata"
| json field=logData "eventType", "subEventType"
| where eventType matches "*"
But I’m struggling to figure out how can I group by based on the map’s key value. for example we can have different eventType and subEventType and I want to see how many subEvents are there per eventType. something like this
EventType | Sub EventType | Count |
---|---|---|
EventType A | Sub Event Type A1 | 100 |
EventType A | Sub Event Type A2 | 200 |
EventType B | Sub Event Type B1 | 300 |
EventType B | Sub Event Type B2 | 200 |
I’ve tried using keyvalue and regex for the sumologic but it’s not working
| keyvalue field=subEventType "*:*" keys
.
I’ve also tried to use regex but it’s failing too
| parse regex field=subEventType ""(?<subEventType>[^"]+)":(?<count>\d+)" multi as subEventType, count
| sum(toLong(count)) as count by eventType, subEventType
| sort by eventType, subEventType
but I’m getting unexpected token 'a' found
after the multi
. I’m not sure what I’m doing wrong here.