index

Sumo Logic search syntax uses logical and familiar operators allowing you to create ad hoc queries quickly and efficiently.

Guide contents

In this section, we will introduce the following concepts:

📄️ About Search Basics

Our Search Syntax is based on a funnel or "pipeline" concept. The wide mouth of the funnel begins with all your current Sumo Logic data, and

📄️ Built-in Metadata

Sumo Logic has several metadata fields that are automatically tagged to ingested data. These metadata fields are referenced by the service in

📄️ Chart Search Results

In the Aggregates tab, in addition to the standard table view, you can view search results as a chart, such as a bar or column chart.

📄️ Comments in Search Queries

On the Search page, you can add comments and comment out lines of

📄️ Pause or Cancel a Search

You can pause or cancel a search when it is in progress. Most users want to cancel a search in progress that is taking too long. You can stop the search and improve your query. You can also pause a search and check timestamps to see what data has been searched so far.

📄️ Quick Search for Collectors and Sources

You can quickly start a search for a Collector, Source, or Source Category from the Manage Collection page.

📄️ Reference a Field with Special Characters

The Sumo Logic query language allows alphanumeric characters and underscores for field names, with the exception of starting a field name with a number. In cases where a field name contains special characters, you need to escape the field name by using the following syntax when calling the field in the query:

📄️ Save a Search

Whether you are running ad hoc searches during a forensic investigation or running standard searches for health checks, you can save any search to run again later.

📄️ Search Autocomplete

On the Search page, as you begin typing to enter a query in the search text box, the search autocomplete drop-down dialog opens to offer suggestions to make query writing easier.

📄️ Search Large Messages

When collecting log messages or event logs that are larger than 64KB in size, Sumo Logic slices the messages into a stream of smaller message chunks.

📄️ Search Surrounding Messages

Surrounding messages allow you to investigate events surrounding a message from the context of the Host, file name, or category identified enabling you to view the activity for the defined time period.

📄️ Share a Link to a Search

Share a link to search query results.

📄️ Time Range Expressions

When you are building a search query, you have the option to add a time range expression in the time range field.

📄️ View Search Results for JSON Logs

If your search returns fields that are valid JSON objects, you can expand or collapse the view on the Messages tab to show or hide the JSON substructure, or present the messages as formatted JSON code.

📄️ View Traces Search Results

In the Messages tab, some search results may have associated Traces data to review. You can right-click to drill-down and view the Trace View for any log entry with a Trace ID (traceid...) or Span ID (spanid...). See View and [Investigate Traces] and [Traces] for more information.