Sumo Logic Confidential July 2016

Advanced AnalyticsSumo Logic ”How To” Webinar

Welcome.To give everyone a

chance to successfully

connect, we’ll start at

10:05 AM Pacific.

Sumo Logic Confidential

At the completion of this webinar, you will be able to…

Understand the Anatomy of a Query

Run advanced queries using:OutlierJoinTransactionGeo LookupLogReduce and LogCompare

Run LiveTail to view your live logs

Explore the Query Library in Sumo Dojo

Sumo Logic Confidential

Sumo Logic Data Flow

Data Collection Search & Analyze

Visualize & Monitor

Alerts

Dashboards

Collectors

Sources

Operators

Charts

1 2 3

Sumo Logic Confidential

Why Queries?Analyze, Monitor and Alert

Sumo Logic Confidential

Building Blocks to Analyze, Monitor and Alert

Create Queries that allow you to troubleshoot, identify trends

Create Dashboards that allow you to monitor and visualize you data

Create Alerts that provide notification of critical events

Don’t start from scratch! Take advantage Sumo Logic AppsOut-of-the-Box content for popular sourcesPre-built queries that you can use as templates

Sumo Logic Confidential

Sumo Logic Confidential

Sumo Logic Confidential

The Basics of SearchingAnatomy of a Query

Sumo Logic Confidential

Search Basics OverviewTime Range

Histogram

Search Bar

Search Results

Display Options

Sumo Logic Confidential

Field Browser - Metadata fields and Parsed FieldsSumo Logic Confidential

Field Browser

Metadata Fields

Parsed Fields

Sumo Logic Confidential

Data Correlation Tips – Filter, Normalize, Filter, Aggregate

• metadata• keywords

Filter

• parse as• parse regex• extract

Normalize • where

• isBlank

Filter

• count by• sort by• sum• etc

Aggregate

Sumo Logic Confidential

Search Structure

Keywords and operators (separated by pipes) that build on top of each other

Syntax: metadata tags + keywords

| parse

| filter

| aggregate

| format display

Results

where

metadata

keyword

Example:_sourceCategory=Apache/Access and ”/blog”

| parse "* - - [" as src_ip

| where !(src_ip matches "46.*")

| count by src_ip

| sort by _count desc

| limit 10

Sumo Logic Confidential

Metadata Fields

Each log message is tagged with these metadata fieldsMetadata fields are established during Collector and Source configuration

Name Description_collector Name of Collector _source Name of Source defined during configuration_sourceHost Hostname where the source exists_sourceName Name of log file (including path)_sourceCategory

Category designation associated with message

Sumo Logic Confidential

Keyword Search

Case Insensitive

Wildcard SupportFAIL* (Fail, Failure)

Boolean Logic SupportAND, OR, !(A OR B)

Combine keywords + metadata fields

Example:_sourceCategory=Apache* and !("*.gov")

| parse "* - - [" as src_ip

| where !(src_ip matches "46.*")

| count by src_ip

| sort by _count desc

| limit 10

Sumo Logic Confidential

Develop Good Search Habits

Use metadata and keyword combinations to reduce scopeTakes advantage of Bloom Filters

Add line breaks after each operationEasier to troubleshoot

Limit result sets before aggregating data| where !(src_ip matches "46.*")

Narrow your time-range down as much as possible

Sumo Logic Confidential

Selecting a Time Range

Use the Dropdown15 min, Today, Last 7 days

Use Relative Notation-45m2h-2d to -1d

Use Absolute Notation8:25PM to 8:30PM8/11/2015 13:00 to 8/11/2015 14:00

Sumo Logic Confidential

Parsing Your DataExtracting Fields

Sumo Logic Confidential

Extracting Fields

Extract parts of a message and classify them as fieldsPerform logical, conditional and mathematical operations

Parsing Optionsparse anchor: Leverages beginning and ending anchorsparse regex: Extracts nested information via regexCSV and Split: Uses comma or other separator to parse fields key value: Leverages key/value pair formatJSON: Extracts fields within a JSON formatted message

Sumo Logic Confidential

Develop Good Parsing Habits

For structured messages, use parse anchor instead of parse regexWhen possible, avoid the use of expensive parse regex tokens like .*

Be specific on what you are looking for (i.e. \d{2,10})

Use Field Extraction Rules to pre-parse dataEliminates having to parse on every queryAvoid using soon-to-be-deprecated public parsers (apache/access, iis, windows/2008)Note that creating FERs is an Admin function

Sumo Logic Confidential

Advanced OperatorsQuery Examples

Sumo Logic Confidential

Sumo Logic Confidential

JOIN Operator Example_sourceCategory=prod/api/webhooks and "webhook-worker"| join

(parse regex "INFO (?<id>.*) Send HTTP request with (?<bytes>.*) byte message body to (?<url>.*)") as info,

(parse regex "INFO (?<id>.*) \[FAILURE\] (?<message>.*)") as failure on info.id = failure.id | fields info_id, info_url, failure_message, info__messagetime | where info_url = "<insert_webhook_url_here>" | formatDate(fromMillis(info__messagetime), "MM-dd-yyyy HH:mm:ss") as myDate

Sumo Logic Confidential

Query Templates for your NeedsQuery Library @ Sumo Dojo

Sumo Logic Confidential

Query Examples in Sumo Dojo

Trends over Time

IP Addresses by Bandwidth Usage

Adding Test Values

Parsing Non-Structured Fields

Mapping Client IPs

Creating Meaningful Alerts (Outlier Detection)

Are my Collectors Ingesting Data?

Sumo Logic Confidential

Questions?

Search Documentation and TrainingLibrary of Past Webinars

Search/Post @ Sumo DojoSearch, Post, Respond

Submit Feature RequestsVote for Existing Ones

Open a Support Case

Contact Customer Successcustomer-success@sumologic.com

Sumo Logic Confidential

Thank You!