Run a Search Against a Partition
Running a search against the data in a partition is almost exactly the same as running any other query. The difference you'll notice is the speed at which results are returned, especially if you're searching over a large amount of data.
Search a partition from a log search tab
To search a particular partition, specify the _index
metadata field with the name of the partition in the keyword search expression (also called the scope) of your query. For example, if your partition is named Compliant, you would add this to the scope of your query: _index=Compliant
.
You can only use _index
in the keyword search expression that scopes the search, in other words, before the first pipe (|
) in the search.
Search the default partition
Data that you ingest that is not directed to a partition will go to the default partition, named sumologic_default
. The default partition is the first partition listed on the Partitions page. To run a search against the default partition, include this in the scope of your search. _index=sumologic_default
.
Run a search against a partition from the Partitions page
- Go to Manage Data > Logs > Partitions.
- Do one of the following:
- Click the Search Icon to the right of the partition name. This launches a search on just the data indexed in the partition.
- Select a partition from the table and click the Search Icon to the right of the routing expression. This launches a search that runs the expression against the partition, as well as any other logs that match the query. This means that you can capture search results on all data, not just the data indexed in the partition.
- Click the Search Icon to the right of the partition name. This launches a search on just the data indexed in the partition.
Searching partitions in Data Tiers
If you have the Data Tiers feature, see Searching Data Tiers for information about how to search partitions by Data Tier.
Why did I get a message to run a search against a partition?
After starting a search that would return faster results if the query were run against a partition, you’ll see a message appear under the search bar that includes a link to the recommended, optimized search.
When the link opens the optimized search in a new search tab, run the search by pressing the Enter/Return key or by clicking Start on the Search page. By default, the optimized search uses the same time range as your original search.