Sumo Logic Query Examples and Usage Guide

Ramnath Goenka

2 min read

·

06-03-2025

18

0

Share

Sumo Logic's query language provides a powerful way to analyze your log data. This guide offers several examples to help you master its capabilities, from basic searches to more complex queries. Understanding these examples will enable you to effectively extract insights from your data and improve your monitoring and troubleshooting processes.

Basic Queries: Getting Started

Let's begin with the fundamentals. A simple query involves specifying the field you want to search and the value you're looking for.

Example 1: Finding Specific Error Messages

Suppose you want to find all log entries containing the error message "Connection timed out." A basic query would look like this:

_sourceCategory="Application Logs" AND "Connection timed out"

This query searches within the Application Logs source category for lines containing the specified error message. The AND operator ensures both conditions must be met for a log entry to be included in the results.

Example 2: Filtering by Timestamp

You can also filter your results by time. Sumo Logic allows for flexible date and time specifications.

_sourceCategory="System Logs" AND _time>="2024-03-08T00:00:00" AND _time<="2024-03-08T23:59:59"

This query searches the System Logs source category for events occurring on March 8th, 2024. Note the use of ISO 8601 formatting for the timestamps.

Advanced Queries: Leveraging Sumo Logic's Capabilities

Sumo Logic's power lies in its advanced features. Let's explore some more complex query examples.

Example 3: Using Regular Expressions

Regular expressions (regex) allow for sophisticated pattern matching within your log data.

_sourceCategory="Application Logs" AND _message=~".*error code (100|200|300).*"

This query uses a regex to find log entries containing "error code" followed by 100, 200, or 300. The ~ operator signifies the use of a regular expression.

Example 4: Aggregating Data with Count and By

To summarize your data, use the count function along with by to group results.

_sourceCategory="Web Server Logs" | count by _sourceHost

This query counts the number of events from each host (_sourceHost) within the Web Server Logs source category, giving you a quick overview of activity per server.

Example 5: Using the fields Command for Data Extraction

The fields command allows you to extract and rename specific fields from your log events, making analysis easier.

_sourceCategory="Application Logs" | fields _time, host, level, message as logMessage

This renames the message field to logMessage and only includes _time, host, level and the renamed message field in the results.

Conclusion

These examples showcase the versatility of Sumo Logic's query language. Experiment with these examples and explore the full documentation to unlock the full potential of analyzing your log data. Remember that effective query construction is crucial for efficient monitoring, troubleshooting, and gaining valuable insights from your data. Mastering Sumo Logic queries is key to effective log analysis.