sumo logic quickstart webinar 06/03/15: how to analyze all your machine data
TRANSCRIPT
Sumo Logic QuickStart Training
June 3, 2015 La.mer Luis Customer Outreach Manager
Sumo Logic Confiden.al
Introduc.on Upda.ng Preferences Searching and Parsing Data Basic Dashboards and Visualiza.ons Addi.onal Analy.cs Q&A
– All Par.cipants are muted – Feel free to ask ques.ons using the GoToWebinar panel – Slides and recording will be shared
Agenda
Sumo Logic Confiden.al 2
Real-‐Time Analy.cs
Cloud – Simple to deploy, no maintenance required
The Sumo Logic Difference
Sumo Logic Confiden.al 3
LogReduce
Elas.c Scalability
Cloud Elas.c scalability
– Horsepower to process all your machine data
PaYern recogni.on with LogReduce™ – Finding the Unknown
Real-‐.me Analy.cs – Cri.cal insights in real .me
Compliance and Cer.fica.ons – PCI/DSS 3.0 Service Provider Level 1 Cer.fied
– SOC 2, Type 2 aYesta.on – HIPAA Compliance – FIPS-‐140 Compliance – U.S. -‐ EU & U.S. – Swiss Safe Harbor Framework
We are thoroughly audited In addi.on to AWS Security
Security MaYers To Us
Sumo Logic Confiden.al 4
Resource: hYps://www.sumologic.com/resource/white-‐paper/securing-‐the-‐sumo-‐logic-‐service/
Logs and the Enterprise
Sumo Logic Confiden.al 5
Custom App Code
Server / OS
Virtualiza.on
Databases
Network
Open Source Sobware
Middleware
Metadata tags are associated to your log messages when data is collected (on ingest) Source/Collector configura.on
Metadata Fields
Sumo Logic Confiden.al
Name Descrip,on
_collector Name of collector when installed
_source Name of the source defined during configura.on
_sourceHost The host name of the source
_sourceCategory Category designa.on of the source
_sourceName The name of the log file (including path)
Metadata should be used with keyword search – Use with an underscore to invoke them
sourceCategory allows you to search horizontally across collectors
Metadata Fields
Sumo Logic Confiden.al
Simplifies search syntax and scope defini.ons Help with other features of the Sumo service – Role-‐Based Access Control (Data Provisioning) – Par..oning (Search Op.miza.on)
Adop.ng a Good Naming Conven.on is Key – Start with most generic descriptors on the leb
e.g. – Prod/Sumo/Apache/Access à Env/Customer/Device/LogType
– OS/Windows/2012/messages à Device/Vendor/Version/LogType
Source Category
Sumo Logic Confiden.al
Enter keywords and operators (separated by |) that build on top of each other
Search Syntax Flow
Sumo Logic Confiden.al
Keyword Iden.fica.on
Data Classifica.on
Ac.ons and Opera.ons
Display Configura.on
Desired Results
Full-‐text search expressions enable you to search for mul.ple terms and logical expressions – Case insensi.ve – Wildcard support – Metadata field – Boolean logic
• Complete (AND/OR) • Implicit AND
Keyword Expression
Sumo Logic Confiden.al
The data available to your search request is determined by the selected .me range. – Pre-‐populated
• Last 15 Minutes • Last 3 Hours • Today
– Absolute • 12:25 12:30 • 8/11 12:00 8/11 13:00
– Rela.ve • -‐5m • -‐2h • -‐2h -‐1h
Time Range
Sumo Logic Confiden.al 16
Combina.on of boolean logic, wild-‐cards and metadata (Error* OR fail* OR except*) AND _sourceCategory=*apache*
Example 1
Sumo Logic Confiden.al 17
Exact string matching (_sourceCategory=Apache/Access AND !"Macintosh; Intel Mac OS X 10_6_8") AND *GET
Example 2
Sumo Logic Confiden.al 18
LogReduce uses fuzzy logic and sob matching to cluster messages providing quick inves.ga.on view into your environment.
(Error OR fail*) | summarize
Looking for the Unknown
Sumo Logic Confiden.al 20
Result Sets
LogReduce uses fuzzy logic and sob matching to cluster messages providing quick inves.ga.on view into your environment.
(Error OR fail*) | summarize Influencing the outcome
Looking for the Unknown
Sumo Logic Confiden.al 21
Iden.fy unexpectedly high or low values … |.meslice 1m |count by _.meslice |outlier _count
Looking for the Known -‐ Outlier
– Timeslices are required – Adjustable variables allow you to get the right sensi.vity
• Threshold – Number of rolling stddev above/below the moving average – Default: 3
• Consecu.ve – Number of consecu.ve points above/below the threshold to trigger – Default: 1
• Direc.on – Detect high values, low values or both – Default: Both
• Window – Number of trailing .meslices used to calculate – Default: 10
Looking for the Known -‐ Outlier
Parsing enables a user to extract parts of a message and classify them as fields. – A specific key/value you want to extract – Enables you to perform addi.onal opera.ons
• Logical/condi.onal – based on values • Mathema.cal – opera.ons on value sets
Ways of defining fields – Parse anchor: leverages start and stop anchors – Parse regex: extracts nested informa.on via regexField extrac.on
Extrac.ng addi.onal labels/fields
Sumo Logic Confiden.al 24
The count Operator enables you to group messages that match a classifica.on – No Group: provides a total message count
• Ex: * | count • Ex: : * | count as mycount
The count operator
Sumo Logic Confiden.al 26
Dissec.ng your result sets using metadata fields – Ability to aggregate results sets and grouping them by metadata fields • EX: _collector=*apache* | count by _sourceCategory
– Get a count of grouped result sets • Ex: (Error OR fail*)| count by _sourcecategory , _sourcehost
– Organize Results by Count • Ex: _collector=*apache*| count by _sourceCategory | sort by _count
Leveraging Metadata for grouping
Sumo Logic Confiden.al 27
Timeslice operator enables you to segment your results by .me buckets – Minute (.meslice by 5m) – Hour (.meslice by 1h) – Day (.meslice by 1d)
Time-‐based Grouping
Sumo Logic Confiden.al 28
Now that you have grouped your data there’s different ways of displaying your result sets Icons of different charts – Table – Pie – Bar – Line – Area
Providing Context through Visualiza.on
Sumo Logic Confiden.al 29
Dashboards contain a collec.on of real-‐.me panels that provide a graphical representa.on of your data – Each panel processes messages as they are received – Drilldown for addi.onal analysis – Choose from several chart types
Introduc.on to Dashboards
Sumo Logic Confiden.al 30
Perform search
Dashboard: Adding a Panel
Sumo Logic Confiden.al 31
Click to add search as a panel in a dashboard
Par..ons – Separate index for searching over a smaller data set
Scheduled Views – Pre-‐aggrega.ng data for lightning fast counts/sums over longer .me ranges
Field Extrac.on Rules – Parse the data on ingest rather than at run-‐.me – Remove parsing statements from your search – Refine your search at the top level with field=foo
Please consult the documenta.on and reach out to customer-‐[email protected] for further guidance.
Performance Features
Sumo Logic Confiden.al 34
Post and respond to ques.ons
Submit feature requests (& vote on others)
Submit “.ps and tricks” based on what you learn
Engage With The Sumo Logic Community
Sumo Logic Confiden.al 36
Click on the Community sec.on at
h0ps://support.sumologic.com/home
Reques.ng help via Support aber consul.ng the Community
Search our docs for more detail
Consider Professional Services offerings – In-‐depth training – Integra.on and use case development
– Contact your sales rep or support for details
customer-‐[email protected]
Don’t forget
Sumo Logic Confiden.al 37