Skip to main content
Sumo Logic

Merge Operator

The Merge operator reduces a stream of events to a single event using a specified merge strategy. It is particularly useful as a subquery for the Transactionize operator. Each field can have a different merge strategy:

  • takeFirst - summarize the field using the earliest value
  • takeLast - summarize the field using the latest value
  • join with separator - reduce the field by combining all values into a single string with the specified separator between each value

Syntax

  • merge
    Merge _raw values and separate them with newlines. Adds a Time field containing the earliest timestamp.
  • merge [field] 
    Merge values of the named field using the takeFirst strategy by default
  • merge [field] [strategy] as [new_name]
    Merge values of field "foo" using the specified strategy and name the result new_name
  • merge [field] as [name], [field] [strategy], [field] join with [separator] as [name2] ... 
    Merge comma-delimited list of fields with separate merge strategies. Where no strategy is specified, takeFirst is implied

Rules

  • The special field _messageTime can only use strategies takeFirst and takeLast

Examples

The following query:

*  | parse "BytesSentPersec = \"*\"" as BytesPersec 
| merge BytesPersec join with "--", _messageTime takeLast

produces a result something like this:

To use the merge operator with the Transactionize operator, one good use case is when all log messages have a common field, for example, transaction_id or request_id. Using the merge operator with transactionize merges all the messages with the common fields, such as the following query:

_sourceCategory=travelweb
| parse regex "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]) - "
| transactionize ip (merge ip takeFirst, _raw join with "\n\n\n") 

Which would provides results like the following. (Notice that all the logs from the same IP are now grouped in one record.)