Sumo Logic QuickStart Webinar 10/15: How to Analyze All Your Machine Data

Sumo Logic QuickStart

October 15, 2014 Colin Corstorphine Customer Outreach Manager

Sumo Logic Confiden?al

!   Introduc?on !   What’s New !   Tips and Tricks !   Searching and Parsing Data !   Basic Dashboards !   Q&A

Agenda

Sumo Logic Confiden?al 2

Real-‐Time Analy?cs

!   Cloud –  Simple to deploy, no maintenance required

The Sumo Logic Difference


LogReduce

Elas?c Scalability

Cloud !   Elas?c scalability

–  Horsepower to process all your IT data

!   PaUern recogni?on with LogReduce™ –  Enables anomaly detec?on

!   Real-‐?me Analy?cs –  IT and business insights in real ?me

Logs and the Enterprise


Custom App Code

Server / OS

Virtualiza?on

Databases

Network

Open Source So[ware

Middleware

What’s New


!   Field Extrac?on –  Allows you to parse upon ingest which saves ?me and effort when you have a set of fields that are commonly needed from a log.

!   Pinned Searches –  Allows you to keep a search running (even if the browser window closes) and return to it later and have the results saved.

Field Extrac?on & Pinned Searches


Tips and Tricks


Account Preferences


Session Timeout

Query Edi?ng/Running

Searching and Parsing Data


Search Basic Overview


Search Bar

Time Range

Histogram

Search Results

Display

!   Enter keywords and operators (separated by |) that build on top of each other

Search Syntax Flow


Keyword Iden?fica?on

Data Classifica?on

Ac?ons and Opera?ons

Display Configura?on

Desired Results

!   Full-‐text search expressions enable you to search for mul?ple terms and logical expressions –  Case insensi?ve – Wildcard support – Metadata field –  Boolean logic

•  Complete (AND/OR) •  Implicit AND

Keyword Expression


!   Metadata tags are associated to your log messages when data is collected and are set during Source/Collector configura?on.

Metadata Fields


Name Descrip,on

_collector Name of collector when installed

_source Name of the source defined during configura?on

_sourceHost The host name of the source

_sourceCategory Category associated with the source

_sourceName The name of the log file (including path)

!   Metadata can be used with keyword search –  Use with an underscore to invoke them

Metadata Fields


!   The data available to your search request is determined by the selected ?me range. –  Pre-‐populated

•  Last 15 Minutes •  Last 3 Hours •  Today

–  Absolute •  12:25 12:30 •  8/11 12:00 8/11 13:00

–  Rela?ve •  -‐5m •  -‐2h •  -‐2h -‐1h

Time Range


!   Combina?on of boolean logic, wild-‐cards and metadata (Error* OR fail* OR except*) AND _sourceCategory=*apache*

Example 1


!   Exact string matching (_sourceCategory=Apache/Access AND !"Macintosh; Intel Mac OS X 10_6_8") AND *GET

Example 2


!   Adding a metadata field value

Refining results based on keywords


Refining Results by Surrounding Messages


! LogReduce uses fuzzy logic and so[ matching to cluster messages providing quick inves?ga?on view into your environment.

(Error OR fail*)

Looking for the Unknown


Result Sets

! LogReduce uses fuzzy logic and so[ matching to cluster messages providing quick inves?ga?on view into your environment.

(Error OR fail*)| summarize

Looking for the Unknown


!   Parsing enables a user to extract parts of a message and classify them as fields. –  A specific key/value you want to extract –  Enables you to perform addi?onal opera?ons

•  Logical/condi?onal – based on values •  Mathema?cal – opera?ons on value sets

!   Ways of defining fields –  Parse anchor: leverages start and stop anchors –  Parse regex: extracts nested informa?on via regex –  Pre-‐defined parsers: predefined libraries of named fields –  Field extrac?on

Extrac?ng addi?onal labels/fields


!   Single field example

Parse Anchor Using the UI


!   The count Operator enables you to group messages that match a classifica?on –  No Group: provides a total message count

•  Ex: * | count •  Ex: : * | count as mycount

The count operator


!   Dissec?ng your result sets using metadata fields –  Ability to aggregate results sets and grouping them by metadata fields •  EX: _collector=*apache* | count by _sourceCategory

–  Get a count of grouped result sets •  Ex: (Error OR fail*)| count by _sourcecategory , _sourcehost

–  Organize Results by Count •  Ex: _collector=*apache*| count by _sourceCategory | sort by _count

Leveraging Metadata for grouping


! Timeslice operator enables you to segment your results by ?me buckets – Minute (?meslice by 5m) –  Hour (?meslice by 1h) –  Day (?meslice by 1d)

Time-‐based Grouping


!   Now that you have grouped your data there’s different ways of displaying your result sets

!   Icons of different charts –  Table –  Pie –  Bar –  Line –  Area

Providing Context through Visualiza?on


!   Dashboards contain a collec?on of real-‐?me Monitors that provide a graphical representa?on of your data –  Each Monitor processes messages as they are received –  Drilldown for addi?onal analysis –  Choose from several chart types

Introduc?on to Dashboards


!   Perform search

Dashboard: Adding a Monitor


Installing Applica?ons


Ques?ons?


!   Tuesday, November 4th, 10AM PST/ 1PM EST – Tech Chat: What’s New in Sumo Logic

•  Pinned Searches and Field Extrac?on

!   Thursday, November 6th, 10AM PST/ 1PM EST – QuickStart Webinar

Coming up…


!   Post and respond to ques?ons

!   Submit feature requests (& vote on others)

!   Submit “?ps and tricks” based on what you learn

Engage With The Sumo Logic Community


Click on the Community sec?on at

h0ps://support.sumologic.com/home

!   Reques?ng help via Support a[er consul?ng the Community

!   Search our docs for more detail

!   Consider Professional Services offerings –  In-‐depth training –  Integra?on and use case development

–  Contact your sales rep or support for details

!   Invite your colleagues to future webinars

customer-‐[email protected]

Don’t forget


Sumo Logic QuickStart Webinar 10/15: How to Analyze All Your Machine Data

Technology

Transcript of Sumo Logic QuickStart Webinar 10/15: How to Analyze All Your Machine Data