This is especially useful when the data is visualized. Here we tell the query engine to rearrange the table using time slice values as row labels, and response time as column labels. Stocktrade | timeslice 1m | extract “(?d+$)” | toInt(ceil(response_time/100) * 100) as response_time | count by _timeslice, response_time | transpose row _timeslice column response_time Wouldn’t it be nice if we could rearrange the data into the following table?
For example, in the table above, the first five rows give us the distribution of response time at 8:00, the next five rows at 8:01, etc. This gets the data we want, but it is not presented in a format that is easy to digest. Stocktrade | timeslice 1m | extract “(?d+$)” | toInt(ceil(response_time/100) * 100) as response_time | count by _timeslice, response_time That is easy with the timeslice operator: Now, it would also be interesting to see how the distribution changes over time. Here we start with a search for “stocktrade” to get only the lines we are interested in, extract the response time using a regular expression, round it up to the next 100 millisecond, and count the occurrence of each number. Stocktrade | extract “(?d+$)” | toInt(ceil(response_time/100) * 100) as response_time | count by response_time One way to do that is to build a histogram of the response time using the following query: We are interested in finding out the distribution of this number so as to know how quickly individual trades are processed. There is a wealth of information in this log line, but to keep it simple, let’s focus on the last number, in this case 449, which is the server response time in milliseconds. Let’s say you work for an online brokerage firm, and your trading server logs lines that look like the following, among other things:
In this post I want to introduce you to a recent addition to the toolbox, the transpose operator. There are currently about two dozen operators available and we are constantly adding new ones. In addition to searching for individual log messages, you may extract, transform, filter and aggregate data from them using a sequence of operators. Sumo Logic lets you access your logs through a powerful query language.
0 kommentar(er)
