Post on 13-Feb-2017
Sumo Logic Confidential
QuickStart WebinarGetting Started with Sumo Logic
Mario SánchezDecember 2016
Welcome.To give everyone a
chance to successfully
connect, we’ll start at
10:05 AM Pacific.
Note you are currently muted.
Sumo Logic Confidential
At the completion of this webinar, you will be able to…
Understand Data Collection (Admin Topic)Search, Parse and Analyze DataVisualize and Monitor through Dashboards & AlertsTake advantage of the content Library and Apps
Sumo Logic Confidential
What is Sumo Logic?
Sumo Logic Confidential
Continuous Intelligence
DEVOPS IT INFRASTRUCTURE AND OPERATIONS
COMPLIANCE AND SECURITY
DEVOPS
Streamline continuous delivery
Monitor KPI’s and Metrics
Accelerate Troubleshooting
IT INFRASTRUCTURE AND OPERATIONS
Monitor all workloads
Troubleshoot and increase uptime
Simplify, Modernize, and save costs
COMPLIANCE AND SECURITYAutomate and demonstrate complianceAudit all systems
Think beyond rules
Sumo Logic Cloud Analytics Service
Sumo Logic Confidential
Enterprise Logs are Everywhere
Custom App Code
Server / OS
Virtual
Databases
Network
Open Source
Middleware
Content
Delivery
IaaS, PaaS SaaS Securit
y
Sumo Logic Confidential
High-Level Data Flow
Sumo Logic Confidential
Sumo Logic Data Flow
Data Collection Search & Analyze
Visualize & Monitor
Alerts
Dashboards
Collectors
Sources
Operators
Detect
1 2 3
Sumo Logic Confidential
Data Collection
Sumo Logic Confidential
Host A
Collectors and Sources
Apache Access
Apache Error
Collector A Host B Collecto
r B Host C
Collector C
Apache Access
Apache Error
IIS Logs
IIS W3C Logs
Sumo Logic Confidential
Metadata Fields
Name Description
_collector Name of the collector this data came from
_source Name of the source this data came through
_sourceHost Hostname of the server this data came from
_sourceName Name of the log file (including path)
_sourceCategory
Category designation of source data
Tags added to your messages when data is collected
Host A
Apache Access
Apache Error
Collector A
Sumo Logic Confidential
Host A
Metadata Field: Source Category
Apache AccessWS/Apache/Access
Apache ErrorWS/Apache/Error
Collector A Host B Collecto
r B Host C
Collector C
Apache AccessWS/Apache/Access
Apache ErrorWS/Apache/Error
IIS LogsWS/IIS
IIS W3C LogsWS/IIS/W3C
Sample Searches for_sourceCategory:
= WS/Apache/Access = WS/Apache/* = WS/*
Sumo Logic Confidential
Search and Analyze
Sumo Logic Confidential
Set your Preferences
Set your Session Timeout
Query Editing versus
Running
Sumo Logic Confidential
Search Basics OverviewTime Range
HistogramSearch Bar
Search Results
Display Options
Sumo Logic Confidential
Field Browser - Metadata fieldsSumo Logic Confidential
Field Browser
Metadata Fields
Parsed Fields
Sumo Logic Confidential
Search StructureKeywords and operators (separated by pipes) that build on top of each other
Syntax: metadata tags + keywords | parse | filter | aggregate | sort | limit
Example Search:
Results
where
metadata
keyword
Sumo Logic Confidential
Keyword Search
Case Insensitive
Wildcard Support (e.g. ERR*)
Boolean Logic SupportANDOR!(A OR B)
Combine these keywords with metadata fields
Bloom filtersUsing keywords helps bloom filters locate data very quickly
Sumo Logic Confidential
• Determine the data available through your search.
• Pre-populated Dropdown– Last 15 min, Today
• Absolute– 12:25PM 12:30PM– 8/11/2015 13:00AM 8/11/2015 14:00AM
• Relative– -5m– -2h– -2d -1d
Time Range
Sumo Logic Confidential
Develop Good Search Habits
Use metadata and keyword combinations to reduce scopeAdd line breaks after each operationLimit result sets before aggregating data user=a | count by userUse parse anchor instead of parse regex for structured messagesAvoid the use of expensive parse regex tokens like .* \d{2,10}Narrow your time-range down as much as possible
Sumo Logic Confidential
Refining Results by Surrounding Messages
Sumo Logic Confidential
• LogReduce uses fuzzy logic and soft matching to cluster messages providing quick investigation view into your environment.
Operators: Looking for the Unknown
Sumo Logic Confidential
• Identify unexpectedly high or low values within determined thresholds |timeslice 1m |count by _timeslice |outlier _count
Operators: Finding Outliers
Sumo Logic Confidential
• Parsing enables a user to extract parts of a message and classify them as fields.– Enables you to perform additional operations
• Logical/conditional – based on values• Mathematical – operations on value sets
• Parsing Options– parse anchor: Leverages beginning and ending anchors– parse regex: Extracts nested information via regex
Extracting and Labeling Additional Fields
Sumo Logic Confidential
Parse Anchor - Using the UIHighlighting
strings in the result
allow you to launch the UI parser
UI Parser allows you to select
fields and label them
Results now show your
parsed fields
Sumo Logic Confidential
• Extracts nested information via regular expressions• Use if the construct of the messages is inconsistent
_sourceCategory=Apache/Access| parse regex "[A-Z]+\s(?<url>/\S*)\sHTTP/1.\d+\"\s(?<status_code>\d+)\s"
Parse Regex
Sumo Logic Confidential
Regular Expressions – References and Resources
Regular Expressions use JRE
Online Resources:• regex101.com• Regular-expressions.info/refadv.html• en.wikipedia.org/wiki/Regular_expression• regexr.com
• Book– Mastering Regular Expressions by Jeffrey E.F. Friedl
Sumo Logic Confidential
Parsing with Field Extraction Rules
Field Extraction RulesParse the data on ingest rather than run-time; simplifies searches Take advantage of interactive dashboard filters
Sumo Logic Confidential
Evaluates messages and places them into groups• Produces aggregates in a separate tab• Must come after basic operators such as parse. Cannot be used with
summarize.
• The count Operator enables you to group messages that match a classification– Ex: _sourceCategory=Apache* | count as mycount
– Ex: GET | count by _sourceCategory
Grouping your Data
Sumo Logic Confidential
• Dissecting your result sets using Metadata Fields– Ability to aggregate results sets and grouping them by metadata fields
• EX: _collector=*apache* | count by _sourceCategory
– Get a count of grouped result sets• Ex: (Error OR fail*)| count by _sourcecategory , _sourcehost
– Organize Results by Count• Ex: _collector=*apache*| count by _sourceCategory | sort by
_count
Leveraging Metadata for Grouping
Sumo Logic Confidential
Timeslice operator enables you to segment your results by time buckets
– Minute (timeslice by 5m)– Hour (timeslice by 1h)– Day (timeslice by 1d)
Example:_sourceCategory=Apache/Access GET|timeslice 1m| count by _timeslice| sort by _timeslice asc
Time-based Grouping
Sumo Logic Confidential
Dashboards
Sumo Logic Confidential
Collection of Panels that provide graphical representation of data
• Each Panel processes results of a single search
• Additional Analysis: Drilldown into corresponding query or another Dashboard
Intro to Dashboards
Sumo Logic Confidential
• Chart Types– Table– Bar– Column– Line– Area– Pie– Box Plot– Google Maps– Single Value
Providing Context through Visualization
Sumo Logic Confidential
• Live Mode– Provides a live stream of data– No Back filling of data
Dashboard Features
Toggle Live Mode
Sumo Logic Confidential
Live versus Interactive ModeUse Case Examples Dashboard
TypeLarge screen displays with streaming updates
Shared Screens for NOC, Operations, Developers.
Live Mode
Template for Exploring Data
Operational Investigations (i.e. Root cause analysis)
Interactive Mode
Historical Reporting and Investigation
Audits, Failed/successful logins for certain groups
Interactive Mode
Sumo Logic Confidential
• Search based (On-Demand)• Backfilling of data• Support Filtering
Dashboard Features
Select Time Range for all
PanelsAbility to use Pre-defined filters
Select filters for individual panels
Select time range for
individual panels
Sumo Logic Confidential
• Filters allow for panels results to be limited dynamically • Filters can be assigned at:
– Dashboard level, Panel Level or both• Filters can be string based or numeric
– The * wildcard is supported for non-numeric filters– Numeric comparison operators supported: >,<,>=,<=
Filtering Details
Sumo Logic Confidential
Dashboards - Adding a Panel
1. Perform your Search
2. Format your Results
3. Add to Dashboard
Sumo Logic Confidential
Alerts
Sumo Logic Confidential
Alerting – Scheduled SearchesUsing a Scheduled Search, you can set Alerts to trigger whenever the search completes or when a certain condition is met.
Alert types include:• Save to Index• Script Action• Email• Webhooks
Blog Post: 2 Key Principles for Creating Meaningful Alerts
Sumo Logic Confidential
Saving and Scheduling an Alert
1. Save your Search2. Schedule the Search
3. Specify frequency and time range4. Specify Alert condition & threshold
5. Specify Alert Type and details
Sumo Logic Confidential
Jumpstart with Apps
Sumo Logic Confidential
Installing Applications
Sumo Logic Confidential
In Summary, with Sumo Logic, you can…
Ingest any type of logs (structured and non-structured)Query and Analyze using OperatorsVisualize data through Charts and DashboardsAlert on Critical EventsCall to Action:
Ensure you have a robust _SoureCategory naming conventionSet up Field Extraction Rules for your popular data sources
Sumo Logic Confidential
Questions?
Consume Trainingsumologic.com/training
Read Documentationhelp.sumologic.com
Search/Post to Communitycommunity.sumologic.com
Open a Support Casesupport.sumologic.com
Log a Feature Requestsumologic.ideas.aha.io/ideas
Sumo Logic Confidential
Thank you!
Sumo Logic Confidential
Admin: Source Category Naming Convention
Simplifies Search Syntax and Scope DefinitionsUsed for other Sumo Logic features
Role-Based Access Control (Data Provisioning)Partitioning (Search Optimization Tool)
Adopt a Robust Naming Convention EarlyEx: Prod/Sumo/Apache/Access Env/Customer/Device/MessageTypeEx: OS/Windows/2012/Messages Device/Vendor/Version/MessageTypeBlog Post: Good SourceCategory, Bad SourceCategory
Sumo Logic Confidential
Advanced Admin: Search Optimization Tools
How-To Webinar Recording: https://youtu.be/JNWbtws-snsPartitions
Index data for searching over a smaller data set
Scheduled ViewsPre-aggregating data for fast counts/sums over longer time ranges
Field Extraction RulesParse the data on ingest rather than run-time; simplifies searches Take advantage of interactive dashboard filters