sumo logic "how to" webinar: advanced analytics
TRANSCRIPT
Sumo Logic Confidential July 2016
Advanced AnalyticsSumo Logic ”How To” Webinar
Welcome.To give everyone a
chance to successfully
connect, we’ll start at
10:05 AM Pacific.
Sumo Logic Confidential
At the completion of this webinar, you will be able to…
Understand the Anatomy of a Query
Run advanced queries using:OutlierJoinTransactionGeo LookupLogReduce and LogCompare
Run LiveTail to view your live logs
Explore the Query Library in Sumo Dojo
Sumo Logic Confidential
Sumo Logic Data Flow
Data Collection Search & Analyze
Visualize & Monitor
Alerts
Dashboards
Collectors
Sources
Operators
Charts
1 2 3
Sumo Logic Confidential
Why Queries?Analyze, Monitor and Alert
Sumo Logic Confidential
Building Blocks to Analyze, Monitor and Alert
Create Queries that allow you to troubleshoot, identify trends
Create Dashboards that allow you to monitor and visualize you data
Create Alerts that provide notification of critical events
Don’t start from scratch! Take advantage Sumo Logic AppsOut-of-the-Box content for popular sourcesPre-built queries that you can use as templates
Sumo Logic Confidential
Sumo Logic Confidential
Sumo Logic Confidential
The Basics of SearchingAnatomy of a Query
Sumo Logic Confidential
Search Basics OverviewTime Range
Histogram
Search Bar
Search Results
Display Options
Sumo Logic Confidential
Field Browser - Metadata fields and Parsed FieldsSumo Logic Confidential
Field Browser
Metadata Fields
Parsed Fields
Sumo Logic Confidential
Data Correlation Tips – Filter, Normalize, Filter, Aggregate
• metadata• keywords
Filter
• parse as• parse regex• extract
Normalize • where
• isBlank
Filter
• count by• sort by• sum• etc
Aggregate
Sumo Logic Confidential
Search Structure
Keywords and operators (separated by pipes) that build on top of each other
Syntax: metadata tags + keywords
| parse
| filter
| aggregate
| format display
Results
where
metadata
keyword
Example:_sourceCategory=Apache/Access and ”/blog”
| parse "* - - [" as src_ip
| where !(src_ip matches "46.*")
| count by src_ip
| sort by _count desc
| limit 10
Sumo Logic Confidential
Metadata Fields
Each log message is tagged with these metadata fieldsMetadata fields are established during Collector and Source configuration
Name Description_collector Name of Collector _source Name of Source defined during configuration_sourceHost Hostname where the source exists_sourceName Name of log file (including path)_sourceCategory
Category designation associated with message
Sumo Logic Confidential
Keyword Search
Case Insensitive
Wildcard SupportFAIL* (Fail, Failure)
Boolean Logic SupportAND, OR, !(A OR B)
Combine keywords + metadata fields
Example:_sourceCategory=Apache* and !("*.gov")
| parse "* - - [" as src_ip
| where !(src_ip matches "46.*")
| count by src_ip
| sort by _count desc
| limit 10
Sumo Logic Confidential
Develop Good Search Habits
Use metadata and keyword combinations to reduce scopeTakes advantage of Bloom Filters
Add line breaks after each operationEasier to troubleshoot
Limit result sets before aggregating data| where !(src_ip matches "46.*")
Narrow your time-range down as much as possible
Sumo Logic Confidential
Selecting a Time Range
Use the Dropdown15 min, Today, Last 7 days
Use Relative Notation-45m2h-2d to -1d
Use Absolute Notation8:25PM to 8:30PM8/11/2015 13:00 to 8/11/2015 14:00
Sumo Logic Confidential
Parsing Your DataExtracting Fields
Sumo Logic Confidential
Extracting Fields
Extract parts of a message and classify them as fieldsPerform logical, conditional and mathematical operations
Parsing Optionsparse anchor: Leverages beginning and ending anchorsparse regex: Extracts nested information via regexCSV and Split: Uses comma or other separator to parse fields key value: Leverages key/value pair formatJSON: Extracts fields within a JSON formatted message
Sumo Logic Confidential
Develop Good Parsing Habits
For structured messages, use parse anchor instead of parse regexWhen possible, avoid the use of expensive parse regex tokens like .*
Be specific on what you are looking for (i.e. \d{2,10})
Use Field Extraction Rules to pre-parse dataEliminates having to parse on every queryAvoid using soon-to-be-deprecated public parsers (apache/access, iis, windows/2008)Note that creating FERs is an Admin function
Sumo Logic Confidential
Advanced OperatorsQuery Examples
Sumo Logic Confidential
Sumo Logic Confidential
JOIN Operator Example_sourceCategory=prod/api/webhooks and "webhook-worker"| join
(parse regex "INFO (?<id>.*) Send HTTP request with (?<bytes>.*) byte message body to (?<url>.*)") as info,
(parse regex "INFO (?<id>.*) \[FAILURE\] (?<message>.*)") as failure on info.id = failure.id | fields info_id, info_url, failure_message, info__messagetime | where info_url = "<insert_webhook_url_here>" | formatDate(fromMillis(info__messagetime), "MM-dd-yyyy HH:mm:ss") as myDate
Sumo Logic Confidential
Query Templates for your NeedsQuery Library @ Sumo Dojo
Sumo Logic Confidential
Query Examples in Sumo Dojo
Trends over Time
IP Addresses by Bandwidth Usage
Adding Test Values
Parsing Non-Structured Fields
Mapping Client IPs
Creating Meaningful Alerts (Outlier Detection)
Are my Collectors Ingesting Data?
Sumo Logic Confidential
Questions?
Search Documentation and TrainingLibrary of Past Webinars
Search/Post @ Sumo DojoSearch, Post, Respond
Submit Feature RequestsVote for Existing Ones
Open a Support Case
Contact Customer [email protected]
Sumo Logic Confidential
Thank You!