Sumo Logic Quickstart - Jan 2017

Sumo Logic Confidential

QuickStart WebinarGetting Started with Sumo Logic

Mario SánchezJanuary 2017

Welcome.To give everyone a

chance to successfully

connect, we’ll start at

10:05 AM Pacific.

Note you are currently muted.


At the completion of this webinar, you will be able to…

Understand Data Collection (Admin Topic)Search, Parse and Analyze DataVisualize and Monitor through Dashboards & AlertsTake advantage of the content Library and Apps


What is Sumo Logic?


Continuous Intelligence

DEVOPS IT INFRASTRUCTURE AND OPERATIONS

COMPLIANCE AND SECURITY

DEVOPS

Streamline continuous delivery

Monitor KPI’s and Metrics

Accelerate Troubleshooting

IT INFRASTRUCTURE AND OPERATIONS

Monitor all workloads

Troubleshoot and increase uptime

Simplify, Modernize, and save costs

COMPLIANCE AND SECURITYAutomate and demonstrate complianceAudit all systems

Think beyond rules

Sumo Logic Cloud Analytics Service


Enterprise Logs are Everywhere

Custom App Code

Server / OS

Virtual

Databases

Network

Open Source

Middleware

Content

Delivery

IaaS, PaaS SaaS Securit

y


High-Level Data Flow


Sumo Logic Data Flow

Data Collection Search & Analyze

Visualize & Monitor

Alerts

Dashboards

Collectors

Sources

Operators

Detect

1 2 3


Data Collection


Host A

Collectors and Sources

Apache Access

Apache Error

Collector A Host B Collecto

r B Host C

Collector C

Apache Access

Apache Error

IIS Logs

IIS W3C Logs


Metadata Fields

Name Description

_collector Name of the collector this data came from

_source Name of the source this data came through

_sourceHost Hostname of the server this data came from

_sourceName Name of the log file (including path)

_sourceCategory

Category designation of source data

Tags added to your messages when data is collected

Host A

Apache Access

Apache Error

Collector A


Host A

Metadata Field: Source Category

Apache AccessWS/Apache/Access

Apache ErrorWS/Apache/Error

Collector A Host B Collecto

r B Host C

Collector C

Apache AccessWS/Apache/Access

Apache ErrorWS/Apache/Error

IIS LogsWS/IIS

IIS W3C LogsWS/IIS/W3C

Sample Searches for_sourceCategory:

= WS/Apache/Access = WS/Apache/* = WS/*


Search and Analyze


Set your Preferences

Set your Session Timeout

Query Editing versus

Running


Search Basics OverviewTime Range

HistogramSearch Bar

Search Results

Display Options


Field Browser - Metadata fieldsSumo Logic Confidential

Field Browser

Metadata Fields

Parsed Fields


Keyword Search

Case Insensitive

Wildcard Support (e.g. ERR*)

Boolean Logic SupportANDOR!(A OR B)

Combine these keywords with metadata fields

Bloom filtersUsing keywords helps bloom filters locate data very quickly


• Determine the data available through your search.

• Pre-populated Dropdown– Last 15 min, Today

• Absolute– 12:25PM 12:30PM– 8/11/2015 13:00AM 8/11/2015 14:00AM

• Relative– -5m– -2h– -2d -1d

Time Range


Develop Good Search Habits

Use metadata and keyword combinations to reduce scopeAdd line breaks after each operationLimit result sets before aggregating data user=a | count by userUse parse anchor instead of parse regex for structured messagesAvoid the use of expensive parse regex tokens like .* \d{2,10}Narrow your time-range down as much as possible


Refining Results by Surrounding Messages


• LogReduce uses fuzzy logic and soft matching to cluster messages providing quick investigation view into your environment.

Operators: Looking for the Unknown


• Identify unexpectedly high or low values within determined thresholds |timeslice 1m |count by _timeslice |outlier _count

Operators: Finding Outliers


• Parsing enables a user to extract parts of a message and classify them as fields.– Enables you to perform additional operations

• Logical/conditional – based on values• Mathematical – operations on value sets

• Parsing Options– parse anchor: Leverages beginning and ending anchors– parse regex: Extracts nested information via regex

Extracting and Labeling Additional Fields


Parse Anchor - Using the UIHighlighting

strings in the result

allow you to launch the UI parser

UI Parser allows you to select

fields and label them

Results now show your

parsed fields


• Extracts nested information via regular expressions• Use if the construct of the messages is inconsistent

_sourceCategory=Apache/Access| parse regex "[A-Z]+\s(?<url>/\S*)\sHTTP/1.\d+\"\s(?<status_code>\d+)\s"

Parse Regex


Regular Expressions – References and Resources

Regular Expressions use JRE

Online Resources:• regex101.com• Regular-expressions.info/refadv.html• en.wikipedia.org/wiki/Regular_expression• regexr.com

• Book– Mastering Regular Expressions by Jeffrey E.F. Friedl

http://regexr.com/


Parsing with Field Extraction Rules

Field Extraction RulesParse the data on ingest rather than run-time; simplifies searches Take advantage of interactive dashboard filters


Evaluates messages and places them into groups• Produces aggregates in a separate tab• Must come after basic operators such as parse. Cannot be used with

summarize.

• The count Operator enables you to group messages that match a classification– Ex: _sourceCategory=Apache* | count as mycount

– Ex: GET | count by _sourceCategory

Grouping your Data


• Dissecting your result sets using Metadata Fields– Ability to aggregate results sets and grouping them by metadata fields

• EX: _collector=*apache* | count by _sourceCategory

– Get a count of grouped result sets• Ex: (Error OR fail*)| count by _sourcecategory , _sourcehost

– Organize Results by Count• Ex: _collector=*apache*| count by _sourceCategory | sort by

_count

Leveraging Metadata for Grouping


Timeslice operator enables you to segment your results by time buckets

– Minute (timeslice by 5m)– Hour (timeslice by 1h)– Day (timeslice by 1d)

Example:_sourceCategory=Apache/Access GET|timeslice 1m| count by _timeslice| sort by _timeslice asc

Time-based Grouping


Dashboards


Collection of Panels that provide graphical representation of data

• Each Panel processes results of a single search

• Additional Analysis: Drilldown into corresponding query or another Dashboard

Intro to Dashboards


• Chart Types– Table– Bar– Column– Line– Area– Pie– Box Plot– Google Maps– Single Value

Providing Context through Visualization


• Live Mode– Provides a live stream of data– No Back filling of data

Dashboard Features

Toggle Live Mode


Live versus Interactive ModeUse Case Examples Dashboard

TypeLarge screen displays with streaming updates

Shared Screens for NOC, Operations, Developers.

Live Mode

Template for Exploring Data

Operational Investigations (i.e. Root cause analysis)

Interactive Mode

Historical Reporting and Investigation

Audits, Failed/successful logins for certain groups

Interactive Mode


• Search based (On-Demand)• Backfilling of data• Support Filtering

Dashboard Features

Select Time Range for all

PanelsAbility to use Pre-defined filters

Select filters for individual panels

Select time range for

individual panels


• Filters allow for panels results to be limited dynamically • Filters can be assigned at:

– Dashboard level, Panel Level or both• Filters can be string based or numeric

– The * wildcard is supported for non-numeric filters– Numeric comparison operators supported: >,<,>=,<=

Filtering Details


Dashboards - Adding a Panel

1. Perform your Search

2. Format your Results

3. Add to Dashboard


Alerts


Alerting – Scheduled SearchesUsing a Scheduled Search, you can set Alerts to trigger whenever the search completes or when a certain condition is met.

Alert types include:• Save to Index• Script Action• Email• Webhooks

Blog Post: 2 Key Principles for Creating Meaningful Alerts

https://www.sumologic.com/2015/08/27/2-key-principles-creating-meaningful-alerts/


Saving and Scheduling an Alert

1. Save your Search2. Schedule the Search

3. Specify frequency and time range4. Specify Alert condition & threshold

5. Specify Alert Type and details


Jumpstart with Apps


Installing Applications


In Summary, with Sumo Logic, you can…

Ingest any type of logs (structured and non-structured)Query and Analyze using OperatorsVisualize data through Charts and DashboardsAlert on Critical EventsCall to Action:

Ensure you have a robust _SoureCategory naming conventionSet up Field Extraction Rules for your popular data sourcesTake advantage of any of our existing Apps to start analyzing your data


Questions?

Consume Trainingsumologic.com/training

Read Documentationhelp.sumologic.com

Search/Post to Communitycommunity.sumologic.com

Open a Support Casesupport.sumologic.com

Log a Feature Requestsumologic.ideas.aha.io/ideas

http://sumologic.com/training

http://help.sumologic.com/

http://community.sumologic.com/

https://support.sumologic.com/

https://sumologic.ideas.aha.io/ideas

https://sumologic.ideas.aha.io/ideas


Thank you!


Admin: Source Category Naming Convention

Simplifies Search Syntax and Scope DefinitionsUsed for other Sumo Logic features

Role-Based Access Control (Data Provisioning)Partitioning (Search Optimization Tool)

Adopt a Robust Naming Convention EarlyEx: Prod/Sumo/Apache/Access Env/Customer/Device/MessageTypeEx: OS/Windows/2012/Messages Device/Vendor/Version/MessageTypeBlog Post: Good SourceCategory, Bad SourceCategory

https://www.sumologic.com/2015/08/27/good-sourcecategory-bad-sourcecategory/


Advanced Admin: Search Optimization Tools

How-To Webinar Recording: https://youtu.be/JNWbtws-snsPartitions

Index data for searching over a smaller data set

Scheduled ViewsPre-aggregating data for fast counts/sums over longer time ranges

Field Extraction RulesParse the data on ingest rather than run-time; simplifies searches Take advantage of interactive dashboard filters

https://youtu.be/JNWbtws-sns

https://youtu.be/JNWbtws-sns

Sumo Logic Quickstart - Jan 2017

Software

Transcript of Sumo Logic Quickstart - Jan 2017