Skip to main content

Metrics Data Volume Index

Sumo Logic populates the Metrics Data Volume Index with a set of JSON-formatted messages every five minutes. The messages contain the volume of metric data points your account is ingesting. 

You can query the index to:

  • Get the total metric data volume (data points) ingested by collector, source, source name, source category, or source host. 

Message format

Each JSON message contains the parent object for each source data point, and child objects that detail the data points for each parent.

For example, a single message for collector volume data may look similar to the following, where collector_N is the name of a collector. The data points values are the aggregated volume for a five minute time period.

_index=sumologic_volume _sourcecategory=sourcecategory_tracing_volume
| parse regex "\"(?<collector>[^\"]+)\"\:\{\"billedBytes\"\:(?<billedBytes>\d+)\,\"spansCount\"\:(?<spansCount>\d+)\}" multi
| timeslice 1h
|sum(billedBytes) as %"billedBytes" by _timeslice
| predict %"billedBytes" by 1h model=ar, forecast=20
| fields - billedBytes_error

Querying the Metrics Data Volume index

When you query the index, the query scope must include the following:

_index=sumologic_volume _sourceCategory=<index_source_category>

Where index_source_category is one of the categories listed in the table below.

Index Log TypeIndex Source CategoryDescription
Collectorcollector_metrics_volumeUse this source category to query metric volume by collector.
Sourcesource_metrics_volumeUse this source category to query metric volume by source.
SourceNamesourcename_metrics_volumeUse this source category to query metric volume by source name. 
SourceCategorysourcecategory_metrics_volumeUse this source category to query metric volume by source category.
SourceHostsourcehost_metrics_volumeUse this source category to query metric volume by source host. 
Logs-to-Metricslogstometricsrulename_metrics_volumeUse this source category to query metric volume by logs-to-metrics rule.

Metric volume query examples

Metric volume by source category

This query returns the metric volume by source category.

_index=sumologic_volume _sourceCategory="sourcecategory_metrics_volume" 
| parse regex "\"(?<sourcecategory>[^\"]+)\"\:\{\"dataPoints\"\:(?<datapoints>\d+)\}" multi
| sum(datapoints) as datapoints by sourcecategory

It returns results like these:

metric-volume-source-category

Metric volume by collector

This query returns the metric volume by collector.

_index=sumologic_volume  _sourceCategory="collector_metrics_volume"
| parse regex "\"(?<collector>[^\"]+)\"\:\{\"dataPoints\"\:(?<datapoints>\d+)\}" multi
| sum(datapoints) as datapoints by collector

It returns results like these:

metric-volume-collector.png

Metric volume for a specific collector

This query returns the metric volume for a specific Collector. The Collector name can be supplied within using the where operator to get the ingest data for a specific Collector.

_index=sumologic_volume  _sourceCategory="collector_metrics_volume"
| parse regex "\"(?<collector>[^\"]+)\"\:\{\"dataPoints\"\:(?<datapoints>\d+)\}" multi
| where collector= "<<collector_name>>"
| sum(datapoints) as datapoints by collector
| fields datapoints

Query for metric ingestion outliers 

This query runs against the metrics volume index and uses the outlier operator to find timeslices in which your metric ingestion in DPM was greater than the running average by a statistically significant amount. 

_index=sumologic_volume _sourcecategory=sourcecategory_metrics_volume 
| parse regex "\"(?<collector>[^\"]+)\"\:\{\"dataPoints\"\:(?<datapoints>\d+)\}" multi
| timeslice 6h
| sum(datapoints) as datapoints by _timeslice
| outlier datapoints

The suggested time range for this query is 7 days. Timeslices can always be reduced depending on the time range of the query.

Query for metric ingestion prediction 

This query runs against the metrics volume index and uses the predict operator to predict future values.

_index=sumologic_volume _sourcecategory=sourcecategory_metrics_volume datapoints
| parse regex "\"(?<collector>[^\"]+)\"\:\{\"dataPoints\"\:(?<datapoints>\d+)\}" multi
| timeslice 1h
| sum(datapoints) as datapoints by _timeslice
| predict datapoints by 1h model=ar, forecast=20
| fields - datapoints_error

The suggested time range for this query is 7 days. Timeslices can always be reduced depending on the time range of the query.