Build Searches
This guide provides information on building searches.
In this section, we'll introduce the following concepts:
📄️ Best Practices for Searches
Use these easy to follow rules to get the most out of your Sumo Logic searches.
📄️ Dynamic Parsing
Dynamic Parsing allows you to configure automatic parsing of JSON logs.
📄️ Keyword Search Expressions
The text that comes before the first pipe symbol in a query is called the keyword expression or scope.
📄️ Search Syntax Overview
Learn about query syntax and how to construct a search.
📄️ Search Templates
Search templates narrow down your queries into a few parameters that other users can edit to find the data they need.
📄️ Set the Time Range
You can adjust the time range for searches and metrics to get the information that will be of most use.
📄️ Use Receipt Time
You can display search results in the order that the Collector received the messages in milliseconds.
📄️ Use a URL to Run a Search
You can create a custom URL to launch a log search in Sumo Logic.
What Data Do I Have?
It can be hard to create a search query if you don't know what data you have in your Sumo Logic environment.
You can use the following simple queries to identify possible values for your existing Source Categories, Source Names, and Source Hosts. You can also approximate data volume for each of the possible values using these queries.
We discourage the use of *
, as it does not provide much value, but in this exception, it is an easy way to identify all messages received in the last 5 minutes, and provide an approximate volume for each.
For Source Categories: * | count_frequent(_sourceCategory)
For Source Hosts: * | count_frequent(_sourceHost)
For Source Names: * | count_frequent(_sourceName)
Write Efficient Search Queries
Make the search as selective as possible
The more specific the query, the more efficiently it will run, as unnecessary messages are quickly thrown out of the mix. For example, the following two queries will generate the same result:
* | parse regex "uid=(\<userI\>\d+)"
"uid=" | parse regex "uid=(\<userI\>\d+)"
The second query will return the results more efficiently because the first query includes "*
", which prompts Sumo Logic to comb through all messages for the given time range.
Use Field Extraction Rules
If your admin has created Field Extraction Rules, learn how to use them. Field Extraction Rules parse out fields from your organization's log files, meaning that you will not need to parse out fields in your query.
Include the most selective filters first
It is best to filter data as early as possible in the query, using the most selective filters first.
For example, look at the following queries:
* | parse "queryTime=* " as queryTime | parse "uid=* " as uid | where queryTime\> 10000
* | parse "queryTime=* " as queryTime | where queryTime\> 10000 | parse "uid=* " as ``uid
Because most log lines have a uid
, but only a small fraction have queryTime > 10000
, the second query is more efficient.