Video: https://www.sumologic.com/online-training/#QuickStart
Brand new to Sumo Logic?
Get started with these 5 easy steps. Learn how to capitalize on critical capabilities that can amplify your log analytics and monitoring experience while providing you with meaningful business and IT insights.
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Sumo Logic Quick Start - Sep 2017
1. Sumo Logic Confidential
QuickStart Webinar
Getting Started with Sumo Logic
Welcome!
Note you are currently
muted. We will get started
shortly.
Mario Sánchez
September 2017
2. Sumo Logic Confidential
5 Steps to Get Started
1. How does Sumo Logic help me?
2. What data is available so I can analyze?
3. How can I search, parse and analyze my data?
4. How can I monitor my trends and critical events?
5. Where do I go from here?
4. Sumo Logic Confidential
Logs and Metrics – Troubleshooting Demo
ALERT notifies of a
critical event
METRICS to identify
what’s going on
LOGS to identify why
it’s happening
6. Sumo Logic Confidential
Data Collection
• Cloud-to-cloud
• Centralized
• Local Data
Learn more:
Setting Up
Sumo Logic
7. Sumo Logic Confidential
Data Collection – Metadata
Metadata tags are associated with each log message that is collected. Values
are set through collector and source configuration.
Tag Description Example
_collector Name of the collector (defaults to hostname) prod_us_collector
_source Name of the source this data came through apache_access
_sourceHost Hostname of the server (defaults to hostname) prod_eu_webserver5
_sourceName Name and Path of the log file /var/log/httpd/apache/access*.log
_sourceCategory Can be freely configured. Main metadata tag prod/apache/access
9. Sumo Logic Confidential
What Data has been collected?
Navigate to Manage >> Collection * | count by _sourceCategory
Explore your Collectors Search for Source Categoriesor
11. Sumo Logic Confidential
Data Analytics – Published Content
Has someone already analyzed this same data?
Search the Org for
published content
12. Sumo Logic Confidential
Data Analytics – Sumo Logic Apps
Is there an App for it?
Search in the
App Catalog
and install it.
13. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
Keywords and operators, separated by pipes, that build on top of each other
Syntax:
metadata + keywords | parse | filter | aggregate | sort | limit
Example:
_sourceCategory=Labs/Github AND ”committer”
| parse " *@* " as user, domain
| where domain=”sumologic.com”
| count by user
| sort by user
| limit 5
Results
where
metadata
keyword
14. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
Metadata
metadata + keywords | parse | filter | aggregate | sort | limit
Time RangeKeywords
• Case insensitive
• Wildcard support
• Boolean Logic
Example:
_sourceCategory=apache/access AND !(success*)
15. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
Structure your logs by extracting the key fields
Anchor Parse Example:
| parse " *@* " as user, domain
Regex Parse Example:
| parse regex "^(?<src_ip>d{1,3}.d{1,3}.d{1,3}.d{1,3})”
Other Parse Operators: csv, json, keyvalue, split, xml
Learn more: Parse Operators
metadata + keywords | parse | filter | aggregate | sort | limit
16. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
metadata + keywords | parse | filter | aggregate | sort | limit
Structure your logs by extracting the key fields
where operator example:
| where !(status_code=304)
in operator example:
| if (status_code in ("501", "502"), "Error", "OK") as code_type
Other Filter Operators: join, lookup, matches, in, isBlank, isEmpty, isNull
Learn more: Filter operator example
17. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
metadata + keywords | parse | filter | aggregate | sort | limit
Evaluate messages and place them into groups
avg operator example:
| avg(size) by src_ip
count operator example:
| count by src_ip
Other Filter Operators: sum, count_distinct, stddev, pct, min, max
Learn more: Aggregation operators
18. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
Geo Lookup
_sourceCategory=Labs/Apache/Access
| parse "* - -" as src_ip
| lookup latitude, longitude from geo://default on ip=src_ip
| count by latitude, longitude
Outlier
_sourceCategory=Labs/Apache/Access and status_code=404
| timeslice 1m
| count(status_code) as server_error_count by _timeslice
| outlier server_error_count
Predict
_sourceCategory=Labs/Apache/Access
| timeslice 5m
| count as requests by _timeslice
| predict requests by 5m forecast=10
Noteworthy Operators in your Tool Set
19. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
LogReduce
Find the ”needle in the
hay stack” by identifying
patterns
LogCompare
Compare today’s patterns
with patterns in the past
Noteworthy Operators in your Tool Set
20. Sumo Logic Confidential
Data Analytics – Search, Parse and Analyze
Get real time view of your logs with Live Tail
22. Sumo Logic Confidential
Monitoring - Dashboards
• Each Panel processes
results from a single
search
• Drill down into
corresponding query or link
to another Dashboard
• Live Mode: provides live
stream of data
• Use Dashboards as
templates with Filters
23. Sumo Logic Confidential
Monitoring - Alerts
Scheduled Searches trigger Alerts when a condition is met.
• Alert Types:
– Email
– Webhook
– Save to Index
– Script Action
Learn More: 2 Key Principles for
Creating Meaningful Alerts
25. Sumo Logic Confidential
Technical Resources
Learn
Explore the tutorials
Reference technical docs
Attend or review training
webinars
Find answers or post
questions to Community
Open a Support case
Log a Feature Request
Find out What’s New
To prep:
1. Open Training instance, open queries under
Today I’m going to walk you through a demo which will show you how a unified Logs and Metrics solution can reduce your troubleshooting time.
1. First, we’ll use our Alerting capabilities to notify a user of a critical event
2. The Alert will direct us to a Metrics dashboard that helps us identify WHAT is going on
3. Lastly, I’ll dive into the relevant logs to Identify WHY this is happening
Let’s jump right into it.
Sumo Logic Data Flow is broken into 3 main areas:
Data Collection through configurable Collectors and Sources. Collectors collect, compress, cache and encrypt the data for secure transfer.
Search and Analyze – Users can run searches and correlate events in real-time across the entire application stack. We will be spending most of our time in this area during this webinar, as this is most likely what you will first be doing as a new user.
Visualize and Monitor- Users have the ability to create custom dashboards to help you easily monitor your data in real-time. Custom alerts notify you when specific events are identified across your stack.
I will cover Data Collection at a high-level, and cover the next 2 areas through a demo.