SumoLogic Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 203: Line 203:

==Personal Folder==
==Personal Folder==
The "Personal" folder is accessible as Sumo Logic -> Hamburger -> The "Personal" folder icon or Sumo Logic -> Hamburger -> Library -> User's Name -> Personal

Revision as of 19:35, 30 January 2019



The search syntax is based on the "funnel" or the "pipeline" concept. The pipeline input receives all SumoLogic data, and data is filtered b entering keywords and operators, separated by pipes ("|"). Each operator acts on the results produced by previous operators, so data is being progressively filtered out. The typical search query syntax is similar to:

keyword search or string search | parse | where | group-by | sort | limit

All queries start with a keyword search or a string search.

As queries get longer and more complex, it is a best practice to format your queries by using a soft return before the pipes, such as:

| parse "* --" as src_ip
| count by src_ip
| sort _count

Searches are not instantaneous, and some of them can take a long time. Thus, they can be paused or canceled.

Searches can be saved in the Library. Once a search is saved, it can be further scheduled. To save a search, compose the search in an "Unnamed" tab, then "Save As". By default, the search is saved in the Personal folder.

Keyword Search


String Search

Search Comments

// comments on a single line
  multi-line comments

Export Search Results

Export Search Results

Up to 100,000 rows of CSV can be downloaded from the browser.

Search Job API

Search Job API


Keywords are case insensitive.

How to figure out the complete list of valid keywords.

Most used keywords:

  • _sourceCategory

Keyword expressions. Keyword expressions include metadata field expressions.


The search language allows alphanumeric characters, hyphens and underscores for valid field names. If the field names contain special characters, a special syntax is required.


Search Metadata

Metadata Fields

Metadata fields can be used in a keyword search as follows:

Available metadata fields:


The name of the Collector, as set when the Collector was installed, that received the log message.


The name of the Source, as set when the Source was configured.


The name of the log file, as the path that was uses when the Source was configured.


The category of the Source that collected the message. The source category can be a maximum of 1,024 characters.



The host name of the Source. For local Sources the name of the Source as set when the Source is configured. For remote Collectors, this field uses the remote host's name. The _sourceHost metadata field is populated using a reverse DNS lookup. If the name cannot be resolved, _sourceHost is displayed as "localhost". This can be a maximum of 128 characters.



A sequence number, maintained by Source, added by the Collector when the message was received.


The timestamp of the message in milliseconds. If the message doesn't have a timestamp, _messageTime uses the _receiptTime.


The time the Collector received the message in milliseconds.


The size of the log message in bytes.


The pattern used for parsing the timestamp. See here for more details.


The raw log message.


Individual Operators


Strings can be parsed based on start and stop anchor points in messages, and then aliased as user-created fields:

... | parse "* --" as src_ip | ...

The above parses out the IP address into a field named "src_ip", using an endpoint anchor.



Sorting by the timestamp in natural order:

... | sort by +_messageTime

Also see Message Sorting below.


count by


... | keyvalue regex " ([A-Z_-]+?)='([^']+?)'" keys "TYPE", "MESSAGES", "CHANNEL", "DOCUMENT-URI" | count by %"docment-uri"

Group Operators

Group Operators

group by

example, did not work.



'*' means zero or more characters.

? means a single character.


To access a list of all available Collectors: Sumo Logic -> Hamburger -> Manage Data -> Collection.




Message Table View

Message Sorting

By default, message sorting is configured to show the newest messages first. That can be changed as follows: the "Messages" tab -> top-right gear icon -> Display Message Preferences -> Sort By: "Oldest Message First".

Aggregates View

The Aggregates view seems to become available if a group operator is used. The view (tab) should be a peer of "Messages" tab. TO TEST. TO PROCESS

Metrics vs. Logs







The Library

The Library

Personal Folder

The "Personal" folder is accessible as Sumo Logic -> Hamburger -> The "Personal" folder icon or Sumo Logic -> Hamburger -> Library -> User's Name -> Personal