Partitions and Data Tiers
Creating a partition allows you to improve search performance by searching over a smaller number of messages. Use the Partitions page to set up and manage partitions. To access the Partitions page, go to Manage Data > Logs > Partitions.
A partition stores your data in an index separate from the rest of your account's data so you can optimize searches, manage variable retention, and specify certain data to forward to S3.
Data stored in a partition is not stored anywhere else.
Partitions route your data to an index becoming a separate subset of data in your account. Creating smaller and separate subsets of data is central to search optimization. When you run a search against an index, results are returned more quickly and efficiently because the search runs against a smaller data set.
After routing messages to a partition, you can reference it in your search by using the field
_index with the partition's name. See Optimizing Search with Partitions for details.
Partitions ingest your messages in real time. They differ from scheduled views in that partitions don’t backfill with aggregate data. They begin building a non-aggregate index from the time the partition is created and index only the data moving forward. Scheduled views backfill with aggregate data, meaning that all data that extends back to the start date of the view query is added to the view.
You define the data that will reside in a partition by defining a routing expression, which is similar to a log query, but with certain restrictions in terms of the operators you can include. Each partition's routing expression is applied to all messages as they are ingested to Sumo Logic. If a message matches the partition’s routing expression, it is added to the partition.
- To create and manage partitions, you must be an Admin or you must have the Manage Partitions role capability.
- There is a limit of 50 partitions per account.
- You can make the following edits to an existing partition:
- You can change the routing expression, unless the partition is decommissioned.
- You cannot make the following changes to a partition:
- You can’t change or reuse a partition name.
- You can’t change the data tier the partition resides in.
- Partitions cannot be deleted, although you can decommission them. This is because a partition may include log messages that aren’t stored anywhere else, so if it’s deleted, messages will be lost. If you no longer need a partition, you can decommission it.
- Partition names cannot start with
sumologic_or an underscore
Micro Lesson: Partitions Basics
In this section, we'll introduce the following concepts:
📄️ Create and Edit a Partition
Learn how to create and edit a Partition in an Index.
📄️ View Details About a Partition
Learn how to view details about a Sumo Logic partition.
📄️ Search a Partition
Learn how to run a search against data in a partition.
📄️ Edit Data Forwarding Destinations for a Partition
You can specify Data Forwarding settings for a partition so that the messages that were routed to an index can be forwarded to and existing or new Amazon S3 destination.
📄️ Manage Indexes with Variable Retention
With Multi-retention, you can create Index Partitions and Scheduled Views to store your data as needed, and set different retention periods for Partitions and Scheduled Views.
📄️ Decommission a Partition
Decommissioning a Partition keeps it from being started, although the data in the Partition remains in your account.
📄️ Data Tiers
Data Tiers provide the ability to allocate data to different storage tiers based on frequency of access - Continuous, Frequent, and Infrequent.
📄️ Data Tiers FAQs
Answers to FAQ about Data Tiers.
📄️ Searching Data Tiers
Learn how to search specific Data Tiers.
📄️ Scheduled Search - Infrequent Tier (Beta)
Learn how to schedule and run searches against the Infrequent data tier.