Druid Metrics to Sumologic

Good day,

I configured the emitter in realtime nodes to post metrics to Sumologic:

[{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/events/thrownAway”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/events/unparseable”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/events/processed”,“value”:2252,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/rows/output”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/persists/count”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/persists/time”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/persists/cpu”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/persists/backPressure”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/persists/failed”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/handoff/failed”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/merge/time”,“value”:0,“dataSource”:“UI-druidDataSource”},{“feed”:“metrics”,“timestamp”:“2016-11-16T03:00:10.306Z”,“service”:“realtime”,“host”:“10.147.138.174:8084”,“metric”:“ingest/merge/cpu”,“value”:0,“dataSource”:“UI-druidDataSource”}]

``

That is one message sent to Sumologic every minute. Until there, all good.

My problem is that I can’t find a way to parse that message and create and alert based on, let’s say, ingest/handoff/failed metric when value is greater than zero.

I tried with:

_sourceCategory=staging/dataplatform/druid| json field=_raw “[].metric", "[].value” as metric, value

But that creates 2 columns, metric and value, with arrays, and I can’t filter by metric to have the value.

I can use “[*].metric[9]” to get “ingest/handoff/failed” but how I can be sure that that index is going to be always “ingest/handoff/failed”?

Any help or guidance is appreciated.

Thanks in advance.

Hi,

I am not sure if there are many sumologic experts in this group.
Could you post this question in sumologic forums ?

Thanks, I will. If I get any answer I will update here too.

Regards.