Skip to main content

Build Searches

This guide provides information on building searches.

In this section, we'll introduce the following concepts:

icon

Best Practices for Searches

Learn to get the most out of searches using these easy-to-follow rules.

icon

Dynamic Parsing

Learn how to view fields from JSON logs without having to manually specify parsing logic.

icon

Keyword Search Expressions

Learn how to define the scope of data for the query.

icon

Search Syntax Overview

Learn about query syntax and how to construct a search.

icon

Search Templates

Learn how to simplify searches for your users by giving them a few easy input choices.

icon

Set the Time Range

Learn how to adjust the time range for searches and metrics to get the most useful information.

icon

Use Receipt Time

Learn how to display search data in the order that Collectors received the messages.

icon

Use a URL to Run a Search

Learn how to create a custom URL to launch a log search in Sumo Logic.

What Data Do I Have?

It can be hard to create a search query if you do not know what data you have in your Sumo Logic environment. 

You can use the following simple queries to identify possible values for your existing Source Categories, Source Names, and Source Hosts. You can also approximate data volume for each of the possible values using these queries.

We discourage the use of *, as it does not provide much value, but in this exception, it is an easy way to identify all messages received in the last 5 minutes, and provide an approximate volume for each.

For Source Categories: * | count_frequent(_sourceCategory)

For Source Hosts: * | count_frequent(_sourceHost)

For Source Names: * | count_frequent(_sourceName)

Write Efficient Search Queries

Make the search as selective as possible

The more specific the query, the more efficiently it will run, as unnecessary messages are quickly thrown out of the mix. For example, the following two queries will generate the same result:

  • * | parse regex "uid=(?<userId>\d+)"
  • "uid=" | parse regex "uid=(?<userId>\d+)"

The second query will return the results more efficiently because the first query includes "*", which prompts Sumo Logic to comb through all messages for the given time range.

Use Field Extraction Rules

If your admin has created Field Extraction Rules, learn how to use them. Field Extraction Rules parse out fields from your organization's log files, meaning that you will not need to parse out fields in your query.

Include the most selective filters first

It is best to filter data as early as possible in the query, using the most selective filters first.

For example, look at the following queries:

* | parse "queryTime=* " as queryTime | parse "uid=* " as uid | where queryTime\> 10000

* | parse "queryTime=* " as queryTime | where queryTime\> 10000 | parse "uid=* " as ``uid

Because most log lines have a uid, but only a small fraction have queryTime > 10000, the second query is more efficient.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.