Log Operators Cheat Sheet
The Log Operators cheat sheet provides a list of available parsers, aggregators, search operators, and mathematical expressions with links to full details for each item. For a step-by-step video and tutorial about creating queries, see the Quick Start Tutorial. For a complete list of Sumo Logic Search operators, you can download the PDF version.
For a collection of customer-created search queries and their use cases, see the Sumo Logic Community Query Library.
The following tables provide a list of available Sumo Logic parsers, aggregators, search operators, and mathematical expressions.
Parsing
Sumo provides a number of ways to parse fields in your log messages.
| Operator | Description | Example |
|---|---|---|
| parse (anchor) | The parse operator, also called parse anchor, parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions. | ` |
| parse regex | The parse regex operator (also called the extract operator) enables users comfortable with regular expression syntax to extract more complex data from log lines. Parse regex can be used, for example, to extract nested fields. | ` |
| keyvalue | Typically, log files contain information that follow a key-value pair structure. The keyvalue operator allows you to get values from a log message by specifying the key paired with each value. | ` |
| csv | The csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. It uses a comma as the default delimiter.csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. It uses a comma as the default delimiter. | ` |
| JSON | The JSON operator is a search query language operator that allows you to extract values from JSON input. Because JSON supports both nested keys and arrays that contain ordered sequences of values, the Sumo Logic JSON operator allows you to extract single top-level fields, multiple fields, nested keys, and keys in arrays. | ` |
| split | The split operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats. | `_sourceCategory=colon |
| xml | The XML operator uses a subset of the XPath 1.0 specification to provide a way for you to parse fields from XML documents. Using it, you can specify what to extract from an XML document using an XPath reference. | ` |
Aggregating
Aggregating functions evaluate messages and place them into groups. The group operator is used in conjunction with group-by functions. When using any grouping function, the word by is sufficient for representing the group operator.
note
An aggregation function can't take another function (such as a math function). For example, you can't use:
... | avg(x + y) as average
Instead use separate steps:
... | x + y as z | avg(z) as average
| Operator | Description | Default Alias | Restrictions | Example |
|---|---|---|---|---|
| avg | The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed. | _avg | ` | |
| count, count_distinct, and count_frequent | Aggregating (group-by) functions are used in conjunction with the group operator and a field name. Only the word by is required to represent the group operator. The count function is also an operator in its own right and therefore can be used with or without the word by. | _count_count_distinct_approxcount | count_frequent can return up to 100 results when used in dashboard panels. | Example 1: ` |
| fillmissing | When you run a standard group-by query, Sumo Logic only returns non-empty groups in the results. For example, if you are grouping by timeslice, then only the timeslices that have data are returned. This operator allows you to specify groups to present in the output, even if those groups have no data. | Not supported in Live Dashboards or any continuous query. | `error | |
| first and last | First finds the earliest occurrence in search results, and last finds the result that follows all others, based on the sort order for the query. | _first_last | Not supported in Live Dashboards or any continuous query. | ` |
| min and max | Use the min and max functions to find the smallest or largest value in a set of values. | _min_max | ` | |
| most_recent and least_recent | The most_recent and least_recent operators, used with the withtime operator, allow you to order data from newest to oldest. | _most_recent_least_recent | `ip OR address | |
| pct | The percentile function (pct) finds the percentile of a given field. Multiple pct functions can be included in one query. | _<fieldname>_pct_<percentile> | ` | |
| stddev | The standard deviation function (stddev) finds the standard deviation value for a distribution of numerical values within the time range analyzed and associated with a group designated by the "group by" field. | _stddev | `... | |
| sum | Sum adds the values of the numerical field being evaluated within the time range analyzed. | _sum | `... | |
| values | The values operator provides all the distinct values of a field. | The first 100 distinct values are returned for a field. | ` | values(ip_address) by region` |
Search Operators
This section provides detailed syntax, rules, and examples for Sumo Logic Operators, Expressions, and Search Language.
| Operator | Description | Default Alias | Restrictions | Example |
|---|---|---|---|---|
| accum | The accum operator calculates the cumulative sum of a field. It can be used to find a count by a specific time interval, and can be used to find a total running count across all intervals. | _accum | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | `_sourceCategory=IIS (Wyatt OR Luke) |
| asn lookup | Sumo Logic can lookup an Autonomous System Number (ASN) and organization name by an IP address. Any IP addresses that don't have an ASN will return null values. | `_sourceCategory=stream "remote_ip=" | ||
| backshift | The backshift operator compares values as they change over time. Backshift can be used with rollingstd, smooth, or any other operators whose results could be affected by spikes of data (where a spike could possibly throw off future results). | _backshift | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | `_sourcecategory=katta |
| base64Decode | The base64Decode operator takes a base64 string and converts it to an ASCII string. | ` | ||
| base64Encode | The base64Encode operator takes an ASCII string and converts it to a base64 string. | ` | ||
| bin | Use the bin operator to sort results in a histogram. | _bin_label_bin_lower_bin_upper | `_sourceCategory=analytics | |
| cat | Use the cat operator to view the contents of a lookup table. | cat path://"/Library/Users/myusername@sumologic.com/Suspicious Users" | ||
| CIDR | The CIDR operator allows you to leverage Classless Inter-Domain Routing (CIDS) notations to analyze IP network traffic in order to narrow analysis to specific subnets. CIDR notations specify the routing prefix of IP addresses. | `(denied OR rejected AND _sourcecategory=firewall | ||
| concat | The Concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field. It concatenates strings end-to-end and joins them into a new string that you define. | Not supported in Dashboards. | `... | |
| contains | The contains operator compares string values of two parsed fields and returns a boolean result based on whether the second field's value exists in the first. | `... | ||
| decToHex | The decToHex operator converts a long value of 16 or fewer digits to a hexadecimal string using Two's Complement for negative values. | `... | ||
| dedup | The dedup operator removes duplicate results. | `... | ||
| diff | The diff operator calculates the rate of change in a field between consecutive rows. To produce results, diff requires that a specified field contain numeric data; any non-numerical values are removed from the search results. | _diff | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | `* |
| fields | The fields operator allows you to choose which fields are displayed in the results of a query. Use a fields operator to reduce the "clutter" of a search output that contains fields that aren't completely relevant to your query. | `_sourceCategory=access_logs | ||
| fillmissing | When you run a standard group-by query, Sumo Logic only returns non-empty groups in the results. For example, if you are grouping by timeslice, then only the timeslices that have data are returned. This operator allows you to specify groups to present in the output, even if those groups have no data. | Not supported in Live Dashboards or any continuous query. | `error | |
| filter | The filter operator can filter the output of a search using the results of a different search based on the filtering criteria of a subquery. The filter operator keeps only the records that match the filter criteria, allowing you to restrict search results to the most relevant information. | The operator can process up to 100,000 data points for a single query. It automatically drops the data points that exceed the limit and issues a warning. | `_sourceCategory=HttpServers | |
| format | The format operator allows you to format and combine data from fields in message logs—including numbers, strings, and dates—into a single user-defined string. This allows data in message logs, such as dates or currency amounts, to be formatted as human readable, when otherwise it would be hard to decipher. | `error | ||
| formatDate | The formatDate operator allows you to format dates in log files as a string in the format you require, such as US date formatting, European formatting, timestamps, etc. | `* | ||
| geoip | Matches an extracted IP address to its geographical location on a map. | ` | ||
| geo lookup | Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map. To create the map the lookup operator matches parsed IP addresses to their physical location based on the latitude and longitude of where the addresses originated. | latitudelongitude_countcontinentcountry_codecountry_nameregioncitystatepostal_codeconnection_typecountry_cfstate_cfcity_cf | ` | |
| haversine | The haversine operator returns the distance between latitude and longitude values of two coordinates in kilometers. Coordinates need to be positive or negative values based on being north/south or east/west, instead of using the terms N/S, E/W. | ` | ||
| hexToDec | The hexToDec operator converts a hexadecimal string of 16 or fewer characters to long using Two's Complement for negative values. | ` | ||
| if | There are two forms of ternary expression you can use in Sumo Logic queries: one is constructed using the IF operator, and the other uses the question mark (?) operator. These expressions are used to evaluate a condition as either true or false, with values assigned for each outcome. It is a shorthand way to express an if-else condition. | ` | ||
| in | The In operator returns a Boolean value: true if the specified property is in the specified object, or false if it is not. | ` | ||
| ipv4ToNumber | The ipv4ToNumber operator allows you to convert an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format. This decimal format makes it easier to compare one IP address to another, rather than relying on IP masking. | `_sourceCategory=service remote_ip | ||
| isBlank | The isBlank operator checks to see that a string contains text. Specifically, it checks to see if a character sequence is whitespace, empty ("") ,or null. It takes a single parameter and returns a Boolean value: true if the variable is indeed blank, or false if the variable contains a value other than whitespace, empty, or null. | ` | ||
| isEmpty | The isEmpty operator checks to see that a string contains text. Specifically, it checks to see whether a character sequence is empty ("") or null. It takes a single parameter and return a Boolean value: true if the variable is indeed empty, or false if the variable contains a value other than empty or null. | ` | ||
| isNull | The isNull operator takes a single parameter and returns a Boolean value: True if the variable is indeed null, or false if the variable contains a value other than null. | ` | ||
| isNumeric | The isNumeric operator checks whether a string is a valid Java number. | ` | ||
| isPrivateIP | The isPrivateIP operator checks if an IPv4 address is private and returns a boolean. | ` | ||
| isPublicIP | The isPublicIP operator checks if an IPv4 address is public and returns a boolean. | ` | ||
| isValidIP | The isValidIP operator checks if the value is a valid IP address. The isValidIPv4 and isValidIPv6 operators check if the value is a valid IPv4 or IPv6 address respectively. | ` | ||
| join | The join operator combines records of two or more data streams. Results are admitted on-the-fly to allow real time tables to be built. Values common to each table are then delivered as search results. | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | `("starting stream from" OR "starting search") | |
| length | The length operator returns the number of characters in a string. You can use it in where clauses or to create new fields. It returns 0 if the string is null. | ` | ||
| limit | The limit operator reduces the number of raw messages or aggregate results returned. If you simply query for a particular term, for example "error" without using an aggregation operator such as group by, limit will reduce the number of raw messages returned. If you first use group-by or other aggregation operator, the limit operator will reduce the number of grouped results instead. | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | ` | |
| logcompare | The logcompare operator allows you to compare two sets of logs: baseline (historical) and target (current). To run a LogCompare operation, you can use the LogCompare button on the Messages tab to generate a properly formatted query. | _count_deltaPercentage_anomalyScore_isNew | Not supported in Dashboards. | ` |
| logexplain | The logexplain operator allows you to compare sets of structured logs based on events you're interested in. Structured logs can be in JSON, CSV, key-value, or any structured format. | _explanation_relevance_test_coverage_control_coverage | Not supported with Real Time alerts. Time Compare and the compare operator are not supported against LogExplain results. | `_sourceCategory=stream |
| logreduce | The logreduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website. (Formerly Summarize.) | Not supported in Dashboards. | ` | |
| logreduce keys | The logreduce keys operator allows you to quickly explore JSON or key-value formatted logs by schemas. | _signature_id_schema_count | `_sourcecategory="Labs/AWS/GuardDuty_V8" | |
| logreduce values | The logreduce values operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. | _cluster_id_signature_count | Not supported with Real Time alerts. | `_sourceCategory= cloudtrail errorCode |
| lookup | The lookup operator can return one or more fields from a lookup table hosted by Sumo Logic and add the fields to the log messages returned by your query. | ` | ||
| lookup (classic) | Using a lookup operator, you can map data in your log messages to meaningful information. For example, you'd use a lookup operator to map "userID" to a real user's name. Or, you'd use a lookup operator to find black-listed IP addresses. | ` | parse "name=, phone number=," as (name, phone) | |
| lookupContains | The lookupContains operator determines whether a key exists in a lookup table. | ` | ||
| luhn (credit card validator) | The Luhn operator uses Luhn’s algorithm to check message logs for strings of numbers that may be credit card numbers, and then validates them. It takes a string as an input, strips out all characters that are not numerals, and checks if the resulting string is a valid credit card number, returning true or false accordingly. | ` | ||
| matches | The matches operator can be used to match a string to a wildcard pattern or an RE2 compliant regex. The return of the operator is Boolean; the operator can be used with where or if expressions. | ` | ||
| median | In order to calculate the median value for a particular field, you can utilize the Percentile (pct) operator with a percentile argument of 50. | ` | ||
| merge | The merge operator reduces a stream of events to a single event using a specified merge strategy. It is particularly useful as a subquery for the Transactionize operator. | ` | ||
| now | The now operator returns the current epoch time in milliseconds. It can be used with the formatDate operator to get the formatted current time. | Can be used in Dashboard Panels, but the now() time presented in Live mode (the time the data is processed) doesn't match the search time, so the results are different.The results for search could be hours or days later than the time presented in Live mode. | ` | |
| num | The num operator converts a field to a number. Using Num in a query is useful for sorting results by number instead of alphabetically, which is the default. You can also use double as the operator, as an alias equivalent, if you prefer. | ` | ||
| outlier | Given a series of time-stamped numerical values, using the outlier operator in a query can identify values in a sequence that seem unexpected, and would identify an alert or violation, for example, for a scheduled search. | <field>_error<field>_lower<field>_upper<field>_indicator<field>_violation | `_sourceCategory=IIS/Access | |
| parseHex | The parseHex operator allows you to convert a hexadecimal string of 16 or fewer characters to a number. | ` | ||
| predict | The predict operator uses a series of time stamped numerical values to predict future values. For example, you'd use this operator to take your current disk space capacity numbers, and predict when your system might run out of disk space. | _<agg field>_<agg field>_predicted_<agg field>_error_<agg field>_linear | `_sourceCategory=taskmanager | |
| replace | The replace operator allows you to replace all instances of a specified string with another string. You can specify the string to replace with a matching regex or literal text. You might use it to find all instances of a name and change it to a new name or to replace punctuation in a field with different punctuation. This operator is useful anytime you need to rename something. | ` | ||
| rollingstd | The rollingstd (rolling standard) operator provides the rolling standard deviation of a field over a defined window. Rollingstd displays this value in a new column named _rollingstd. | _rollingstd | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | ` |
| save | Using the Save operator allows you to save the results of a query into the Sumo Logic file system. Later, you can use the lookup operator to access the saved data. The Save operator saves data in a simple format to a location you choose. | Not supported in Dashboards. | ` | |
| sessionize | The sessionize operator allows you to use an extracted value from one log message (generated from one system) to find correlating values in log messages from other systems. After you run Sessionize, these related events are displayed on the same page. The thread of logs woven together is called a session. | Not supported in Live Dashboards or any continuous query. | `(SearchServiceImpl Creating Query) or (Stream SessionId using searchSessionId) or (Started search with sessionId) | |
| smooth | The smooth operator calculates the rolling (or moving) average of a field, measuring the average of a value to "smooth" random variation. Smooth operator reveals trends in the data set you include in a query. | _smooth | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | ` |
| sort | The sort operator orders aggregated search results. The default sort order is descending. Then you can use the top or limit operators to reduce the number of sorted results returned. | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | ` | |
| substring | The substring operator allows you to specify an offset that will output only part of a string, referred to as a substring. You can use this operator to output just a part of a string instead of the whole string, for example, if you wanted to output an employee’s initials instead of their whole name. | ` | ||
| threatip | Check IP addresses against CrowdStrike's threat intelligence data. | ` | threatip ip_address | |
| timeslice | The timeslice operator segregates data by time period, so you can create bucketed results based on a fixed width in time, for example, five minute periods. Timeslice also supports bucketing by a fixed number of buckets across the search results, for example, 150 buckets over the last 60 minutes. An alias for the timeslice field is optional. When an alias is not provided, a default _timeslice field is created. | _timeslice | Timeslices greater than 1 day can't be used in Dashboard Live mode. | ` |
| toLowerCase and toUpperCase | As the name implies, the toLowerCase operator takes a string and converts it to all lower case letters. The toUpperCase operator takes a string and converts it to all upper case letters. | ` | ||
| topk | Select the top values from fields and group them by other fields. | _rank | ` | |
| top | Use the top operator with the sort operator, to reduce the number of sorted results returned. | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | ` | |
| total | The total operator calculates the grand total of a field and injects that value into every row. It also supports grouping rows by a set of fields. | _total | Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. | ` |
| trace | A trace operator acts as a highly sophisticated filter to connect the dots across different log messages. You can use any identifying value with a trace operator (such as a user ID, IP address, session ID, etc.) to retrieve a comprehensive set of activity associated to that original ID. | Not supported in Live Dashboards or any continuous query. | ` | |
| transaction | The transaction operator is used to analyze related sequences of logs. No matter what type of data you're analyzing, from tracking web site sign ups, to e-commerce data, to watching system activity across a distributed system, the transaction operator can be used in a variety of use cases. | _start_time_end_time | Tables generated with unordered data can be added to Dashboards, but Flow Diagrams can't be added to Dashboards.Transaction by flow can't be used with Dashboards. | ` |
| transactionize | The transactionize operator groups logs that match on any fields you specify. Unlike other "group by" operators, where the logs in a group must match on all defined fields, transactionize just needs one field to match in order to assign logs to the same group. | _group_group_duration_group_size_group_orphaned | ` | |
| transpose | The transpose operator dynamically creates columns for aggregate search results. The dynamic functionality allows for changing the output of a query, turning search results into fields. It also means that queries can be designed without first knowing the output schema. | `_sourceCategory=service | ||
| urldecode | The urldecode operator decodes a URL you include in a query, returning the decoded (unescaped) URL string. | ` | ||
| urlencode | The urlencode operator encodes the URL into an ASCII character set. | ` | ||
| where | To filter results in a search query, use "where" as a conditional operator. The where operator must appear as a separate operator distinct from other operators, delimited by the pipe symbol (" | "). In other words, the following construct will not work and will generate a syntax error: |
Math Expressions
You can use general mathematical expressions on numerical data extracted from log lines. For any mathematical or group-by function that implicitly requires integers, Sumo Logic casts the string data to a number for you.
Basic
| Operator | Description | Example |
|---|---|---|
| abs | The absolute function calculates the absolute value of x. | ` |
| cbrt | The cube root function returns the cube root value of x. | ` |
| ceil | The ceiling function rounds up to the smallest integer value. Returns the smallest integral value that is not less than x. | ` |
| floor | The floor function rounds down to the largest previous integer value. Returns the largest integer not greater than x. | ` |
| isNan | isNaN returns true if the string value is not a number, false otherwise. | ` |
| isInfinity | isInfinity returns true if the string value is a positive or negative infinity, false otherwise. | ` |
| max | The maximum function returns the larger of two values. | ` |
| min | The minimum function returns the smaller of two values. | ` |
| round | The round function returns the closest integer to x. | ` |
| sqrt | The square root function returns the square root value of x. | ` |
Exponents and Logs
| Operator | Description | Example |
|---|---|---|
| exp | The exponent function returns Euler's number e raised to the power of x. | ` |
| expm1 | The expm1 function returns value of x in exp(x)-1, compensating for the roundoff in exp(x). | ` |
| log | The logarithm function returns the natural logarithm of x. | ` |
| log10 | The log10 function returns the base 10 logarithm of x. | ` |
| log1p | The log1p function computes log(1+x) accurately for small values of x. | ` |
Trigonometric
| Operator | Description | Example |
|---|---|---|
| sin | Sine of argument in radians. | ` |
| cos | Cosine of argument in radians. | ` |
| tan | Tangent of argument in radians. | ` |
| asin | Inverse sine; result is in radians. | ` |
| acos | Inverse cosine; result is in radians. | ` |
| atan | Inverse tangent; result is in radians. | ` |
| atan2 | Four-quadrant inverse tangent. | ` |
| sinh | Hyperbolic sine of argument in radians. | ` |
| cosh | Hyperbolic cosine of argument in radians. | ` |
| tanh | Hyperbolic tangent of argument in radians. | ` |
Advanced
| Operator | Description | Example |
|---|---|---|
| hypot | Returns the square root of the sum of an array of squares. | ` |
| toDegrees | Converts angles from radians to degrees. | ` |
| toRadians | Converts angles from degrees to radians. | ` |