Sumo Logic currently has the ability to extract known fields on ingest, making them available for searches, much like the Splunk query provided above. Dynamic fields, such as new KVPs that are logged out are able to be pulled out in the query with one extra step, as follows:
| kv infer "event","price" | sum(price) by event | where price >2
The kv operator refers to key value pairs. There is also a json operator which functions the same way.
| kv infer "event","price" | sum(price) by event | where price >2
The kv operator refers to key value pairs. There is also a json operator which functions the same way.