Creating a partition allows you to improve search performance by searching over a smaller number of messages. Use the Partitions page to set up and manage partitions. To access the Partitions page, go to Manage Data > Logs > Partitions.
Data stored in a partition is not stored anywhere else.
Partitions route your data to an index becoming a separate subset of data in your account. Creating smaller and separate subsets of data is central to search optimization. When you run a search against an index, results are returned more quickly and efficiently because the search runs against a smaller data set.
After routing messages to a partition, you can reference it in your search by using the field
_index with the partition's name. See Optimizing Search with Partitions for details.
Partitions ingest your messages in real time. They differ from scheduled views in that partitions don’t backfill with aggregate data. They begin building a non-aggregate index from the time the partition is created and index only the data moving forward. Scheduled views backfill with aggregate data, meaning that all data that extends back to the start date of the view query is added to the view.
You define the data that will reside in a partition by defining a routing expression, which is similar to a log query, but with certain restrictions in terms of the operators you can include. Each partition's routing expression is applied to all messages as they are ingested to Sumo Logic. If a message matches the partition’s routing expression, it is added to the partition.
- To create and manage partitions, you must be an Admin or you must have the Manage Partitions role capability.
- There is a limit of 50 partitions per account.
- You can make the following edits to an existing partition:
- You can change the routing expression, unless the partition is decommissioned.
- You cannot make the following changes to a partition:
- You can’t change or reuse a partition name.
- You can’t change the data tier the partition resides in.
- Partitions cannot be deleted, although you can decommission them. This is because a partition may include log messages that aren’t stored anywhere else, so if it’s deleted, messages will be lost. If you no longer need a partition, you can decommission it.
- Partition names cannot start with
sumologic_or an underscore
- Partition routing rule length cannot exceed 2048 characters.
Micro Lesson: Partitions Basics
In this section, we'll introduce the following concepts:
Create and Edit a Partition
Learn how to create and edit a Partition in an Index.
View Details About a Partition
Learn how to view details about a Sumo Logic Partition.
Search a Partition
Learn how to run a search against data in a Partition.
Edit Data Forwarding Destinations for a Partition
Learn how to specify Data Forwarding settings for a Partition.
Manage Indexes with Variable Rentention
Learn how to create Index Partitions and Scheduled Views to store your data.
Decommission a Partition
Learn how to decommission a Partition to keep it from being started.
Get to know about Sumo Logic's Data Tiers feature.
Data Tiers FAQs
Get answers on various FAQs about Data Tiers.
Searching Data Tiers
Learn how to search specific Data Tiers.