Updated the search query with correct syntax (#5113)

* Updated the search query with right syntax

* Update docs/search/optimize-search-partitions.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

* Update docs/send-data/collect-from-other-data-sources/docker-collection-methods.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

* Update docs/send-data/collection/search-collector-or-source.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

* Update docs/send-data/collect-from-other-data-sources/docker-collection-methods.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

---------

Co-authored-by: Kim (Sumo Logic) <[email protected]>

Author: JV0812

docs/cse/troubleshoot/troubleshoot-parsers.md

@@ -32,7 +32,7 @@ The recommended method is to set `_siemForward = true` and `_parser = <path/to/p
 * At the [source](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/). Logs from an entire source will be forwarded to Cloud SIEM and the specified parser.
 * At the [collector](/docs/send-data/installed-collectors/). Logs from the collector and its child sources will be forwarded to Cloud SIEM and the specified parser
 * Using a [Field Extraction Rule (FER)](/docs/manage/field-extractions/create-field-extraction-rule/). 
-   * Often used to specify SIEM forwarding and the parser path by `sourceCategory`, but can also be used to filter specific subsets of logs for forwarding to Cloud SIEM (or not forwarded).
+   * Often used to specify SIEM forwarding and the parser path by `_sourceCategory`, but can also be used to filter specific subsets of logs for forwarding to Cloud SIEM (or not forwarded).
    * Sending subsets of logs to Cloud SIEM is useful as not all log data is useful from a security context.
 
 Many [Cloud-To-Cloud (C2C)](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/) sources set the `_parser` and `_siemForward` metadata within the parser, bypassing the need to manually specify for these sources.

docs/integrations/saas-cloud/citrix-cloud.md

@@ -55,7 +55,7 @@ This Citrix Cloud App uses [SystemLog](https://developer.cloud.com/citrix-cloud/
 ### Sample queries
 
 ```sql="Active Team Members"
-sourceCategory="citrixCloudSource"
+_sourceCategory="citrixCloudSource"
 | json "eventType","targetDisplayName","targetEmail","beforeChanges.AccessType","afterChanges.AccessType","actorType","message.en-US" as event_type,name, email, access_type_before, access_type_after, actor, message nodrop
 | where event_type matches("*platform/administrator/create*")
 | where actor matches"{{actor}}"

docs/manage/field-extractions/fer-templates/cisco-fwsm-fer.md

@@ -21,7 +21,7 @@ The first rule is generic and matches all messages:
 **Scope:**
 
 ```sql
-sourceCategory=networking/cisco/fwsm
+_sourceCategory=networking/cisco/fwsm
 ```
 
 **Extraction Rule:**

docs/manage/ingestion-volume/monitor-ingestion-receive-alerts.md

@@ -155,12 +155,12 @@ This hourly alert is generated when both of the following occur:
 
 ```
 _index=sumologic_volume sizeInBytes _sourceCategory="sourcecategory_volume"
-| parse regex "\"(?<sourcecategory>[^\"]*)\"\:(?<data>\{[^\}]*\})" multi
+| parse regex "\"(?<_sourcecategory>[^\"]*)\"\:(?<data>\{[^\}]*\})" multi
 | json field=data "sizeInBytes", "count" as bytes, count
 | timeslice 1h
 | bytes/1024/1024/1024 as gbytes
-| sum(gbytes) as gbytes by sourcecategory, _timeslice
-| where !(sourceCategory matches "*_volume")
+| sum(gbytes) as gbytes by _sourcecategory, _timeslice
+| where !(_sourceCategory matches "*_volume")
 | compare timeshift -1w 4 max
 | if(isNull(gbytes_4w_max), 0, gbytes_4w_max) as gbytes_4w_max
 | ((gbytes - gbytes_4w_max) / gbytes) * 100 as pct_increase

docs/manage/partitions/data-tiers/create-edit-partition.md

@@ -48,7 +48,7 @@ If you have a Sumo Logic Enterprise Suite account, you can take advantage of th
 When designing partitions, keep the following in mind:
 * **Avoid using queries that are subject to change**. In order to benefit from using Partitions, they should be used for long-term message organization.
 * **Make the query as specific as possible**. Making the query specific will reduce the amount of data in the Partition, which increases search performance.
-* **Keep the query flexible**. Use a flexible query, such as `sourceCategory=*Apache*`, so that metadata can be adjusted without breaking the query.
+* **Keep the query flexible**. Use a flexible query, such as `_sourceCategory=*Apache*`, so that metadata can be adjusted without breaking the query.
 * **Group data together that is most often used together**. For example, create Partitions for categories such as web data, security data, or errors.
 * **Group data together that is used by teams**. Partitions are an excellent way to organize messages by role and teams within your organization.
 * **Avoid including too much data in your partition**. Send between 2% and 20% of your data to a Partition. Including 90% of the data in your index in a Partition won’t improve search performance.

docs/manage/partitions/flex/create-edit-partition-flex.md

@@ -44,7 +44,7 @@ To create or edit a Partition, you must be an account Administrator or have th
 When designing partitions, keep the following in mind:
 * **Avoid using queries that are subject to change**. In order to benefit from using Partitions, they should be used for long-term message organization.
 * **Make the query as specific as possible**. Making the query specific will reduce the amount of data in the Partition, which increases search performance.
-* **Keep the query flexible**. Use a flexible query, such as `sourceCategory=*Apache*`, so that metadata can be adjusted without breaking the query.
+* **Keep the query flexible**. Use a flexible query, such as `_sourceCategory=*Apache*`, so that metadata can be adjusted without breaking the query.
 * **Group data together that is most often used together**. For example, create Partitions for categories such as web data, security data, or errors.
 * **Group data together that is used by teams**. Partitions are an excellent way to organize messages by role and teams within your organization.
 * **Avoid including too much data in your partition**. Send between 2% and 20% of your data to a Partition. Including 90% of the data in your index in a Partition won’t improve search performance.

docs/search/get-started-with-search/build-search/keyword-search-expressions.md

@@ -143,7 +143,7 @@ It is '\u001F', U+001F UNIT SEPARATOR
 
  For example, in the following query, there are multiple space characters present in `"VM Periodic" and "Task Thread"`, but normalization returns the same result as a single space whitespace character.
  ```sql
- sourceCategory=stream_thread_dumps "VM Periodic_____Task Thread"
+ _sourceCategory=stream_thread_dumps "VM Periodic_____Task Thread"
  ```
 
  :::note
@@ -154,7 +154,7 @@ It is '\u001F', U+001F UNIT SEPARATOR
 
  For example, in the the following query there is a tab character present in `"VM Periodic" and "Task Thread"`, but normalization returns the same result as a single space whitespace character.
  ```sql
- sourceCategory=stream_thread_dumps "VM Periodic_Task Thread"
+ _sourceCategory=stream_thread_dumps "VM Periodic_Task Thread"
  ```
 
  :::note
@@ -165,7 +165,7 @@ It is '\u001F', U+001F UNIT SEPARATOR
 
  For example, in the following query, there is a new line after the string `Task`, but normalization returns the same result as a single space whitespace character. This shows that a query string with a single space can match a log line that has a new line character.
  ```sql
- sourceCategory=stream_thread_dumps "VM Periodic Task\nThread"
+ _sourceCategory=stream_thread_dumps "VM Periodic Task\nThread"
  ```
 
  :::note
@@ -176,13 +176,13 @@ It is '\u001F', U+001F UNIT SEPARATOR
 
   For example, in the the following query, there is a new line and tab character after the string `Task`, but normalization returns the same result as a single space whitespace character. This shows that a query string with a single space can match a log line that has a new line and a tab whitespace character.
   ```sql
-  sourceCategory=stream_thread_dumps "VM Periodic Task\n\tThread"
+  _sourceCategory=stream_thread_dumps "VM Periodic Task\n\tThread"
   ```
   :::note
   The character `\n\t` is used to describe the new line + tab whitespace characters.
   :::
 
 All of the above queries containing various whitespace characters will accept a single space whitespace character by default and return the desired results. See the query below.
 ```sql
-sourceCategory=stream_thread_dumps "VM Periodic Task Thread"
+_sourceCategory=stream_thread_dumps "VM Periodic Task Thread"
 ```

docs/search/optimize-search-partitions.md

@@ -123,9 +123,9 @@ It may prevent you from searching horizontally without OR’ing partitions toget
 
 This helps users easily identify the correct partition to use.
 
-### Keep your partition broadly scoped with sourceCategory and avoid keywords
+### Keep your partition broadly scoped with _sourceCategory and avoid keywords
 
-Use sourceCategory in your partitions definitions and avoid keywords to keep your partition broadly scoped. You can always narrow down the scope of your search when you query your partition.
+Use `_sourceCategory` in your partitions definitions and avoid keywords to keep your partition broadly scoped. You can always narrow down the scope of your search when you query your partition.
 
 ### Group similar data together
 

docs/search/optimize-search-performance.md

@@ -60,10 +60,10 @@ Here's a quick look at how to choose the right indexed search optimization tool.
 | :-- | :-- | :-- |
 | Run queries against a certain set of data | Choose if the quantity of data to be indexed is more than 2% of the total data. | Choose if the quantity of data to be indexed is less than 2% of the total data. |
 | Use data to identify long-term trends |   | Yes |
-| Segregate data by sourceCategory | Yes |   |
+| Segregate data by _sourceCategory | Yes |   |
 | Have aggregate data ready to query |   | Yes |
 | Use RBAC to deny or grant access to the data set | Yes | Yes |
-| Reuse the fields that I'm parsing for other searches against this same sourceCategory |   |   |
+| Reuse the fields that I'm parsing for other searches against this same _sourceCategory |   |   |
 
 ## How is data added to Partitions and Scheduled Views?
 

docs/search/search-cheat-sheets/log-operators.md

@@ -182,7 +182,7 @@ This section provides detailed syntax, rules, and examples for Sumo Logic Opera
    <td>The backshift operator compares values as they change over time. Backshift can be used with rollingstd, smooth, or any other operators whose results could be affected by spikes of data (where a spike could possibly throw off future results).</td>
    <td>_backshift</td>
    <td>Can be used in Dashboard Panels, but in the search they must be included after the first <code>group-by</code> phrase.</td>
-   <td><code>_sourcecategory=katta <br/>| timeslice by 1m <br/>| count by _timeslice,_sourcehost <br/>| sort + _timeslice <br/>| backshift _count,1 by _sourcehost</code></td>
+   <td><code>_sourceCategory=katta <br/>| timeslice by 1m <br/>| count by _timeslice,_sourcehost <br/>| sort + _timeslice <br/>| backshift _count,1 by _sourcehost</code></td>
   </tr>
   <tr>
    <td><a href="/docs/search/search-query-language/search-operators/base64decode">base64Decode</a></td>