sumo logic quickstart webinar 06/03/15: how to analyze all your machine data

Sumo Logic QuickStart Training

June 3, 2015 La.mer Luis Customer Outreach Manager

Sumo Logic Confiden.al

  Introduc.on   Upda.ng Preferences   Searching and Parsing Data   Basic Dashboards and Visualiza.ons   Addi.onal Analy.cs   Q&A

–  All Par.cipants are muted –  Feel free to ask ques.ons using the GoToWebinar panel –  Slides and recording will be shared

Agenda

Sumo Logic Confiden.al 2

Real-‐Time Analy.cs

  Cloud –  Simple to deploy, no maintenance required

The Sumo Logic Difference


LogReduce

Elas.c Scalability

Cloud   Elas.c scalability

–  Horsepower to process all your machine data

  PaYern recogni.on with LogReduce™ –  Finding the Unknown

  Real-‐.me Analy.cs –  Cri.cal insights in real .me

  Compliance and Cer.fica.ons –  PCI/DSS 3.0 Service Provider Level 1 Cer.fied

–  SOC 2, Type 2 aYesta.on –  HIPAA Compliance –  FIPS-‐140 Compliance –  U.S. -‐ EU & U.S. – Swiss Safe Harbor Framework

  We are thoroughly audited   In addi.on to AWS Security

Security MaYers To Us


Resource: hYps://www.sumologic.com/resource/white-‐paper/securing-‐the-‐sumo-‐logic-‐service/

Logs and the Enterprise


Custom App Code

Server / OS

Virtualiza.on

Databases

Network

Open Source Sobware

Middleware

Account Preferences


Account Preferences


Session Timeout

Query Edi.ng/Running

Metadata Fields


  Metadata tags are associated to your log messages when data is collected (on ingest)   Source/Collector configura.on

Metadata Fields


Name Descrip,on

_collector Name of collector when installed

_source Name of the source defined during configura.on

_sourceHost The host name of the source

_sourceCategory Category designa.on of the source

_sourceName The name of the log file (including path)

  Metadata should be used with keyword search –  Use with an underscore to invoke them

sourceCategory allows you to search horizontally across collectors

Metadata Fields


  Simplifies search syntax and scope defini.ons   Help with other features of the Sumo service –  Role-‐Based Access Control (Data Provisioning) –  Par..oning (Search Op.miza.on)

  Adop.ng a Good Naming Conven.on is Key –  Start with most generic descriptors on the leb

  e.g. –  Prod/Sumo/Apache/Access à Env/Customer/Device/LogType

–  OS/Windows/2012/messages à Device/Vendor/Version/LogType

Source Category


Searching and Parsing Data Start of Live Demonstra.on of Sumo Logic Service


Search Basic Overview


Search Bar

Time Range

Histogram

Search Results

Display

  Enter keywords and operators (separated by |) that build on top of each other

Search Syntax Flow


Keyword Iden.fica.on

Data Classifica.on

Ac.ons and Opera.ons

Display Configura.on

Desired Results

  Full-‐text search expressions enable you to search for mul.ple terms and logical expressions –  Case insensi.ve – Wildcard support – Metadata field –  Boolean logic

•  Complete (AND/OR) •  Implicit AND

Keyword Expression


  The data available to your search request is determined by the selected .me range. –  Pre-‐populated

•  Last 15 Minutes •  Last 3 Hours •  Today

–  Absolute •  12:25 12:30 •  8/11 12:00 8/11 13:00

–  Rela.ve •  -‐5m •  -‐2h •  -‐2h -‐1h

Time Range


  Combina.on of boolean logic, wild-‐cards and metadata (Error* OR fail* OR except*) AND _sourceCategory=*apache*

Example 1


  Exact string matching (_sourceCategory=Apache/Access AND !"Macintosh; Intel Mac OS X 10_6_8") AND *GET

Example 2


Refining Results by Surrounding Messages


LogReduce uses fuzzy logic and sob matching to cluster messages providing quick inves.ga.on view into your environment.

(Error OR fail*) | summarize

Looking for the Unknown


Result Sets

LogReduce uses fuzzy logic and sob matching to cluster messages providing quick inves.ga.on view into your environment.

(Error OR fail*) | summarize   Influencing the outcome

Looking for the Unknown


  Iden.fy unexpectedly high or low values … |.meslice 1m |count by _.meslice |outlier _count

Looking for the Known -‐ Outlier

–  Timeslices are required –  Adjustable variables allow you to get the right sensi.vity

•  Threshold –  Number of rolling stddev above/below the moving average –  Default: 3

•  Consecu.ve –  Number of consecu.ve points above/below the threshold to trigger –  Default: 1

•  Direc.on –  Detect high values, low values or both –  Default: Both

•  Window –  Number of trailing .meslices used to calculate –  Default: 10

Looking for the Known -‐ Outlier

  Parsing enables a user to extract parts of a message and classify them as fields. –  A specific key/value you want to extract –  Enables you to perform addi.onal opera.ons

•  Logical/condi.onal – based on values •  Mathema.cal – opera.ons on value sets

  Ways of defining fields –  Parse anchor: leverages start and stop anchors –  Parse regex: extracts nested informa.on via regexField extrac.on

Extrac.ng addi.onal labels/fields


  Single field example

Parse Anchor Using the UI


  The count Operator enables you to group messages that match a classifica.on –  No Group: provides a total message count

•  Ex: * | count •  Ex: : * | count as mycount

The count operator


  Dissec.ng your result sets using metadata fields –  Ability to aggregate results sets and grouping them by metadata fields •  EX: _collector=*apache* | count by _sourceCategory

–  Get a count of grouped result sets •  Ex: (Error OR fail*)| count by _sourcecategory , _sourcehost

–  Organize Results by Count •  Ex: _collector=*apache*| count by _sourceCategory | sort by _count

Leveraging Metadata for grouping


Timeslice operator enables you to segment your results by .me buckets – Minute (.meslice by 5m) –  Hour (.meslice by 1h) –  Day (.meslice by 1d)

Time-‐based Grouping


  Now that you have grouped your data there’s different ways of displaying your result sets   Icons of different charts –  Table –  Pie –  Bar –  Line –  Area

Providing Context through Visualiza.on


  Dashboards contain a collec.on of real-‐.me panels that provide a graphical representa.on of your data –  Each panel processes messages as they are received –  Drilldown for addi.onal analysis –  Choose from several chart types

Introduc.on to Dashboards


  Perform search

Dashboard: Adding a Panel


Click to add search as a panel in a dashboard

Installing Applica.ons


Performance Features End Live Demonstra.on of Sumo Logic


  Par..ons –  Separate index for searching over a smaller data set

  Scheduled Views –  Pre-‐aggrega.ng data for lightning fast counts/sums over longer .me ranges

  Field Extrac.on Rules –  Parse the data on ingest rather than at run-‐.me –  Remove parsing statements from your search –  Refine your search at the top level with field=foo

  Please consult the documenta.on and reach out to customer-‐[email protected] for further guidance.

Performance Features


Ques.ons?


  Post and respond to ques.ons

  Submit feature requests (& vote on others)

  Submit “.ps and tricks” based on what you learn

Engage With The Sumo Logic Community


Click on the Community sec.on at

h0ps://support.sumologic.com/home

  Reques.ng help via Support aber consul.ng the Community

  Search our docs for more detail

  Consider Professional Services offerings –  In-‐depth training –  Integra.on and use case development

–  Contact your sales rep or support for details

customer-‐[email protected]

Don’t forget


  Invite your colleagues to future webinars: hYps://aYendee.gotowebinar.com/rt/2164031659853507585

 Next QuickStart Training – Wednesday, July 8, 2015

–  10AM PST/ 1PM EST –  4PM PST/ 7PM EST (convenient for users in APAC)

Coming up…


sumo logic quickstart webinar 06/03/15: how to analyze all your machine data

Technology

h timerange sumologicconden

sourcecategory categorydesigna

logreduce elas

example1 sumologicconden

ge example2 sumologicconden

c scalability cloud

cloud simpletodeploy

display congura