File Sumo

by



The split operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats.

To parse log entries from CSV files, you can use the simpler CSV operator.

Syntax

Extract fields using the index:

Using the typemap file typemap.xml the following call to polyconvert imports polygons from OSM-data and produces a Sumo-polygon file. Polyconvert -net-file berlin.net.xml -osm-files berlin.osm -type-file typemap.xml -o berlin.poly.xml The created polygon file berlin.poly.xml can then be added to a.

  • split <field> extract 1 as <A>, 2 as <B>, 5 as <E>, 6 as <F>
File sumo pro
  • SUMO edge type file A SUMO edge type file assigns default values for certain attributes to types of roads. It configures netconvert when importing, for example, SUMO XML descriptions, OpenStreetMap files or ArcView files. The type configuration is saved in an XML structure.
  • Edit the local properties file with the Okta token created in step 1. The Properties file will be generated in step 2 when you download and deploy the SumoJanus package. Configure an Installed Collector and; Configure a Script Source in Sumo Logic to send the data from Okta to Sumo Logic.

Extract fields using position:

  • split <field> extract <A>, <B>, _, _, <E>, <F>
Use an underscore

File Sumo Software

_ to skip the position.

Mix positional and index-based:

  • split <field> extract <A>, <B>, 5 as <E>, <F>

Specify a delimiter, escape, and quote character:

Sumo
  • split <field> escape=', delim=':', quote='' extract <A>, <B>, _, _, <E>, <F>

Rules

  • By default, the Split operator uses a comma (,) for a delimiter, backlash () for an escape character, and (') quote for a quote character, though you can define your own if you like.
  • If you define your own escape, delimiter, and quote characters, they must all be different.
  • A field to extract from is always required. To extract from your original message use the _rawmetadata field.

Examples

Parsing a colon delimited file

For example, if you had a file with the following colon delimited log message:

You could parse the fields using the following query:

_sourceCategory=colon
| parse '] * *' as log_level, split_field
| split split_field delim=':' extract 1 as user, 2 as account_id, 3 as session_id, 4 as result

which produces results such as:

Sumo File Format

In another example, you could use the following query:

_sourceCategory=colon
| split _raw delim=':' extract 1 as user2, 2 as id, 3 as name

which provides results like:

Parsing a CSV file

Use the following query to extract comma delimited fields as specified:

File

_sourceCategory=csv
| split _raw delim=',' extract 1 as user2, 2 as id, 3 as name

which produces results such as:

Parsing a tab delimited file

Use this query to extract fields from a tab delimited log file.

You have to manually specify the tab character for the delim value.

_sourceCategory=sumo/zscaler
| split _raw delim=' ' extract 1 as Column1, 2 as dlpeng, 3 as cat

Sumo File Output

which produces this result:

Alternatively, you can use the parse operator to extract fields from a tab delimited log file. The following query produces the same result as the previous query.

File Sumo Online

File

File Summary Info

_sourceCategory=sumo/zscaler
| parse '*t*t*t' as Column1,dpleng,cat