This document provides tips for monitoring and reacting to errors in SumoLogic. It lists some example error messages and recommends starting with New Relic to view counts and metrics of errors. It then discusses using the SumoLogic Data Explorer to group errors by message or type, plot them by host or duration, and look for null values in fields to find the root cause of issues. The document stresses starting simple with exploratory queries before introducing filters and parsing sensitive data for contextual queries.

1. Maurizio Lopez
18/03/2016
This is not a
SumoLogic training.Monitoring tips.

2. • Error Messages Examples: how to react to a sudden errors spike or to a
new error message?
Start with New Relic first!
.-'The operation was canceled.'
.-'Session has expired'
.-'Second Last FailerAttempts for Retail users'
.-'Profile name must be unique within an account'
.-‘A task was canceled'
.-'Object reference not set to an instance of an object.'
.-'Missing token.'
.-'Method Not Allowed'
.-'Invalid registration code'
.-'Invalid PercentageCompleted, 0-100 is only valid.‘
"You must provide a email address, emailAddress provided : null"

3. • Go to INSIGHTS -> Accounts Dashboards -> Counters&Metrics.
• For example: "You must provide a email address, emailAddress provided : null"
Keep and eye on……

4. • If you don’t like the dashboard …………
• Would you like to get a second opinion?.
• Go to: INSIGHTS -> DATA EXPLORER
Do you fancy a better place to go…?
Set up Data Explorer and TIME.

5. • Go to: Group by -> Transaction Detail -> (use Error Message or Error Type)
How Did We Get Here?

6. • PLOT it by STRING ->Hosts
• PLOT it by NUMERIC -> Duration -> Number of Transaction Events.
Available Options

7. Going back to the original example
"You must provide a email address, emailAddress provided : null"

8. Let’s Sumo: Start simple…
• Do a first exploratory query of 5 to 15 minutes. Pause is if necessary.
• Introduce a Source_Category or a SourceHost according to the initial
query.
• Start a longer query from 24 hours to 3 days for example.

9. • Display FIELDS and look for NULL VALUES…Example "deviceTypeName=PS4"
Where to get the juice?
_sourceCategory="soa-prod-aws-us-east-1-gladprod" AND ("deviceTypeName=PS4")
// | where isNull(ssl)
| where isNull(%"sc_win32_status")
| where isNull(sc_status)
| where isNull(sc_substatus)
| where isNull(sc_bytes)
| where isNull(date)
| where isNull(cs_version)
| where isNull(cs_useragent)
// | where isNull(cs_uri_stem)
| where isNull(cs_uri_query)
| where isNull(cs_referer)
| where isNull(cs_method)
| where isNull(cs_host)
| where isNull(cs_cookie)
| where isNull(cs_bytes)
| where isNull(c_ip)

10. • Once you discover meaningful data then point to the specific field
introducing this sentence in your SumoLogic Query: | fields sc_status
• You can PARCE to catch sensitive information and then COUNT it as
you want to present it in order to highlight the CONTEXT of your query.
• Now you are ready to go to DATADOG……..
How to close the loop?