SumoLogic Concepts: Difference between revisions
(→parse) |
(→Search) |
||
Line 7: | Line 7: | ||
The search syntax is based on the "funnel" or the "pipeline" concept. The pipeline input receives all SumoLogic data, and data is filtered b entering [[#Keyword|keywords]] and [[#Operator|operators]], separated by pipes ("|"). Each operator acts on the results produced by previous operators, so data is being progressively filtered out. The typical search query syntax is similar to: | The search syntax is based on the "funnel" or the "pipeline" concept. The pipeline input receives all SumoLogic data, and data is filtered b entering [[#Keyword|keywords]] and [[#Operator|operators]], separated by pipes ("|"). Each operator acts on the results produced by previous operators, so data is being progressively filtered out. The typical search query syntax is similar to: | ||
[[#Keyword_Search|keyword search]] ''or'' [[#String_Search|string search]] | parse | where | group-by | sort | limit | [[#Keyword_Search|keyword search]] ''or'' [[#String_Search|string search]] | [[#parse|parse]] | where | group-by | sort | limit | ||
All queries start with a [[#Keyword_Search|keyword search]] or a [[#String_Search|string search]]. | All queries start with a [[#Keyword_Search|keyword search]] or a [[#String_Search|string search]]. |
Revision as of 05:05, 30 January 2019
Internal
Search
The search syntax is based on the "funnel" or the "pipeline" concept. The pipeline input receives all SumoLogic data, and data is filtered b entering keywords and operators, separated by pipes ("|"). Each operator acts on the results produced by previous operators, so data is being progressively filtered out. The typical search query syntax is similar to:
keyword search or string search | parse | where | group-by | sort | limit
All queries start with a keyword search or a string search.
Keyword Search
_sourceCategory=CloudWatch
String Search
Keyword
Keywords are case insensitive.
How to figure out the complete list of valid keywords.
Most used keywords:
- _sourceCategory
Metadata
Metadata fields can be used in a keyword search as follows:
Available metadata fields:
_collector
The name of the Collector, as set when the Collector was installed, that received the log message.
_source
The name of the Source, as set when the Source was configured.
_sourceName
The name of the log file, as the path that was uses when the Source was configured.
_sourceCategory
The category of the Source that collected the message. The source category can be a maximum of 1,024 characters.
_sourceCategory=CloudWatch
_sourceHost
The host name of the Source. For local Sources the name of the Source as set when the Source is configured. For remote Collectors, this field uses the remote host's name. The _sourceHost metadata field is populated using a reverse DNS lookup. If the name cannot be resolved, _sourceHost is displayed as "localhost". This can be a maximum of 128 characters.
_sourceHost=/up/test/up-plat-svc-blah
_messageCount
A sequence number, maintained by Source, added by the Collector when the message was received.
_messageTime
The timestamp of the message in milliseconds. If the message doesn't have a timestamp, _messageTime uses the _receiptTime.
_receiptTime
The time the Collector received the message in milliseconds.
_size
The size of the log message in bytes.
_format
The pattern used for parsing the timestamp. See here for more details.
_raw
The raw log message.
Operator
parse
Strings can be parsed based on start and stop anchor points in messages, and then aliased as user-created fields:
... | parse "* --" as src_ip | ...
sort
Sorting by the timestamp in natural order:
... | sort by +_messageTime
Pipe
Wildcards
'*' means zero or more characters.
? means a single character.