Sumo Logic quickStart Webinar June 2016

Sumo Logic Confidential

QuickStart WebinarGetting Started with Sumo Logic

Mario Sánchez

June 2016

Welcome.

To give everyone a

chance to successfully

connect, we’ll start at

10:05 AM Pacific.


At the completion of this webinar, you will be able to…

Understand Data Collection (Admin Topic)

Search, Parse and Analyze Data

Visualize and Monitor through Dashboards & Alerts

Take advantage of the Library and Apps

Understand Optimization Tools (Admin Topic)


What is Sumo Logic?


Continuous Intelligence

DEVOPS IT INFRASTRUCTURE

AND OPERATIONS

COMPLIANCE AND

SECURITY

DEVOPS

Streamline continuous delivery

Monitor KPI’s and Metrics

Accelerate Troubleshooting

IT INFRASTRUCTURE

AND OPERATIONS

Monitor all workloads

Troubleshoot and increase uptime

Simplify, Modernize, and save costs

COMPLIANCE AND

SECURITY

Automate and

demonstrate compliance

Audit all systems

Think beyond rules

Sumo Logic Cloud Analytics Service


sumologic.com/compliance


Enterprise Logs are Everywhere

Custom App

Code

Server / OS

Virtual

Databases

Network

Open

Source

Middleware

Content

Delivery

IaaS,

PaaSSaaS Security


High-Level Data Flow


Sumo Logic Data Flow

Data Collection Search & Analyze Visualize & Monitor

Alerts

Dashboards

Collectors

Sources

Operators

Detect

1 2 3


Data Collection


Host A

Collectors and Sources

Apache Access

Apache Error

Collector

AHost B

Collector

BHost C

Collector

C

Apache Access

Apache Error

IIS Logs

IIS W3C Logs


Metadata Fields

Name Description

_collector Name of the collector this data came from

_source Name of the source this data came through

_sourceHost Hostname of the server this data came from

_sourceName Name of the log file (including path)

_sourceCategor

y

Category designation of source data

Tags added to your messages when data is collected

Host A

Apache Access

Apache Error

Collector

A


Host A

Metadata Field: Source Category

Apache Access

_sourceCategory =

WS/Apache/Access

Apache Error

_sourceCategory =

WS/Apache/Error

Collector

AHost B

Collector

BHost C

Collector

C

Apache Access

_sourceCategory =

WS/Apache/Access

Apache Error

_sourceCategory =

WS/Apache/Error

IIS Logs

_sourceCategory =

WS/IIS

IIS W3C Logs

_sourceCategory =

WS/IIS/W3C

Sample Searches for

_sourceCategory:

= WS/Apache/Access

= WS/Apache/*

= WS/*


Source Category Naming Convention

Simplifies Search Syntax and Scope Definitions

Used for other Sumo Logic features

Role-Based Access Control (Data Provisioning)

Partitioning (Search Optimization Tool)

Adopt a Robust Naming Convention Early

Ex: Prod/Sumo/Apache/Access Env/Customer/Device/MessageType

Ex: OS/Windows/2012/Messages Device/Vendor/Version/MessageType

Blog Post: Good SourceCategory, Bad SourceCategory

https://www.sumologic.com/2015/08/27/good-sourcecategory-bad-sourcecategory/


Search and Analyze


Set your

Preferences

Set your Session

Timeout

Query Editing

versus Running


Search Basics OverviewTime Range

Histogram

Search Bar

Search Results

Display Options


Field Browser - Metadata fields


Field Browser

Metadata Fields

Parsed Fields


Keyword Search

Case Insensitive

Wildcard Support (e.g. ERR*)

Boolean Logic Support

AND

OR

!(A OR B)

Combine these keywords with metadata fields

Bloom filters

Using keywords helps bloom filters locate data very quickly


• Determine the data available through your search.

• Pre-populated Dropdown

– Last 15 min, Today

• Absolute

– 12:25PM 12:30PM

– 8/11/2015 13:00AM 8/11/2015 14:00AM

• Relative

– -5m

– -2h

– -2d -1d

Time Range


Develop Good Search Habits

Use metadata and keyword combinations to reduce scope

Add line breaks after each operation

Limit result sets before aggregating data user=a | count by user

Use parse anchor instead of parse regex for structured messages

Avoid the use of expensive parse regex tokens like .* \d{2,10}

Narrow your time-range down as much as possible


Refining Results by Surrounding Messages


• LogReduce uses fuzzy logic and soft matching to cluster messages providing quick

investigation view into your environment.

Operators: Looking for the Unknown


• Identify unexpectedly high or low values within determined thresholds

|timeslice 1m

|count by _timeslice

|outlier _count

Operators: Finding Outliers


• Parsing enables a user to extract parts of a message and classify them as

fields.

– Enables you to perform additional operations

• Logical/conditional – based on values

• Mathematical – operations on value sets

• Parsing Options

– parse anchor: Leverages beginning and ending anchors

– parse regex: Extracts nested information via regex

Extracting and Labeling Additional Fields


Parse Anchor - Using the UI

Highlighting

strings in the

result allow

you to launch

the UI parserUI Parser allows

you to select fields

and label them

Results now show

your parsed fields


• Extracts nested information via regular expressions

• Use if the construct of the messages is inconsistent

_sourceCategory=Apache/Access

| parse regex "[A-Z]+\s(?<url>/\S*)\sHTTP/1.\d+\"\s(?<status_code>\d+)\s"

Parse Regex


Regular Expressions – References and Resources

Regular Expressions use JRE

Online Resources:

• regex101.com

• Regular-expressions.info/refadv.html

• en.wikipedia.org/wiki/Regular_expression

• regexr.com

• Book

– Mastering Regular Expressions by Jeffrey E.F. Friedl

http://regexr.com/


Evaluates messages and places them into groups

• Produces aggregates in a separate tab

• Must come after basic operators such as parse. Cannot be used with summarize.

• The count Operator enables you to group messages that match a classification

– Ex: _sourceCategory=Apache* | count as mycount

– Ex: GET | count by _sourceCategory

Grouping your Data


• Dissecting your result sets using Metadata Fields

– Ability to aggregate results sets and grouping them by metadata fields

• EX: _collector=*apache* | count by _sourceCategory

– Get a count of grouped result sets

• Ex: (Error OR fail*)| count by _sourcecategory , _sourcehost

– Organize Results by Count

• Ex: _collector=*apache*| count by _sourceCategory | sort by _count

Leveraging Metadata for Grouping


Timeslice operator enables you to segment your

results by time buckets

– Minute (timeslice by 5m)

– Hour (timeslice by 1h)

– Day (timeslice by 1d)

Example:

_sourceCategory=Apache/Access GET

|timeslice 1m

| count by _timeslice

| sort by _timeslice asc

Time-based Grouping


Visualize and Monitor


Collection of Panels that

provide graphical

representation of data

• Each Panel processes results

of a single search

• Additional Analysis: Drilldown

into corresponding query or

another Dashboard

Intro to Dashboards


• Chart Types

– Table

– Bar

– Column

– Line

– Area

– Pie

– Box Plot

– Google Maps

– Single Value

Providing Context through Visualization


• Live Mode

– Provides a live stream of data

– No Back filling of data

Dashboard Features

Toggle Live

Mode


Live versus Interactive Mode

Use Case Examples Dashboard

Type

Large screen displays

with streaming updates

Shared Screens for NOC,

Operations, Developers.

Live Mode

Template for Exploring

Data

Operational Investigations (i.e. Root

cause analysis)

Interactive

Mode

Historical Reporting

and Investigation

Audits, Failed/successful logins for

certain groups

Interactive

Mode


• Search based (On-Demand)

• Backfilling of data

• Support Filtering

Dashboard Features

Select Time

Range for all

PanelsAbility to use

Pre-defined

filters

Select filters for

individual panels

Select time range

for individual

panels


• Filters allow for panels results to be limited dynamically

• Filters can be assigned at:

– Dashboard level, Panel Level or both

• Filters can be string based or numeric

– The * wildcard is supported for non-numeric filters

– Numeric comparison operators supported: >,<,>=,<=

Filtering Details


Dashboards - Adding a Panel

1. Perform your

Search

2. Format your

Results

3. Create a

Panel


Alerting – Scheduled Searches

Using a Scheduled Search, you can set Alerts to trigger whenever the search

completes or when a certain condition is met.

Alert types include:

• Save to Index

• Script Action

• Email

• Webhooks

Blog Post: 2 Key Principles for Creating Meaningful Alerts

https://www.sumologic.com/2015/08/27/2-key-principles-creating-meaningful-alerts/


Saving and Scheduling an Alert

1. Save your Search

2. Schedule the

Search

3. Specify frequency and time

range

4. Specify Alert condition &

threshold

5. Specify Alert Type and details


Jumpstart with Apps


Installing Applications


Optimizing Your Search

Experience


Search Optimization Tools

How-To Webinar Recording: https://youtu.be/JNWbtws-sns

Partitions

Index data for searching over a smaller data set

Scheduled Views

Pre-aggregating data for fast counts/sums over longer time ranges

Field Extraction Rules

Parse the data on ingest rather than run-time; simplifies searches

Take advantage of interactive dashboard filters

https://youtu.be/JNWbtws-sns


Questions?

Consume Training

sumologic.com/training

Read Documentation

help.sumologic.com

Search/Post to Community

community.sumologic.com

Open a Support Case

support.sumologic.com

Log a Feature Request

sumologic.ideas.aha.io/ideas

http://sumologic.com/training

http://help.sumologic.com/

http://community.sumologic.com/

https://support.sumologic.com/

https://sumologic.ideas.aha.io/ideas


Thank you!

Sumo Logic quickStart Webinar June 2016

Software

Transcript of Sumo Logic quickStart Webinar June 2016