You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/search/behavior-insights/logcompare.md
+17-16Lines changed: 17 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,8 @@ title: LogCompare
4
4
description: LogCompare allows you to easily compare log data from different time periods to detect major changes or anomalies.
5
5
---
6
6
7
+
import useBaseUrl from '@docusaurus/useBaseUrl';
8
+
7
9
LogCompare allows you to easily compare log data from different time periods to detect major changes or anomalies. LogCompare runs a delta analysis that helps you troubleshoot and discover root causes.
8
10
9
11
For example, you could determine what was different right before a failure compared to the previous day or previous week. Or, you could easily check if a new release introduced a new issue by reviewing the difference in log streams across time.
@@ -40,7 +42,7 @@ LogCompare is an operator available in log searches. You can manually add it to
40
42
41
43
First, run a non-aggregate search, then the **LogCompare** button in the **Messages** tab can be quickly pressed to run the baseline (historical) query 24 hours in the past. However, you can easily change the baseline query time range by clicking the dropdown arrow to the right of the button.
***Time Shift** is the Time Shift of the Baseline Query, and it controls when the Baseline Query runs. If the Time Shift is -2d, that means that it will run for the exact Time Range duration (1 minute, in this query), but two days in the past.
After running a query with LogCompare your results are displayed in the **Signatures** tab of the Search page. You will have a table with **Count**, **Score**, **Actions**, and **Signature** columns.
The following table illustrates the way **Count** results are calculated. For example, if the baseline query returns signatures A, B, C, and D while the target includes A, B, D, and E signatures, your results would look like the following:
195
196
@@ -209,7 +210,7 @@ Using the **details** option launches a new query adding a unique signature ID
209
210
210
211
After running a LogCompare search, from the **Signatures** tab, you can view logs grouped together in a signature. To see the raw log data from signatures click the blue underlined number in the **Count** column. A new log search is opened with the details option set against the selected signature.
@@ -222,7 +223,7 @@ The **Score** column is calculated based on the significance of the change in
222
223
223
224
The value is calculated using a symmetric version of [Kullback-Leibler divergence score](https://en.wikipedia.org/wiki/Kullback%E2%80%93Leibler_divergence).
@@ -233,10 +234,10 @@ The following table explains the icons in the **Actions** column.
233
234
234
235
| Icon | Action |
235
236
|:---|:---|
236
-
|| Promote a signature if the data included in the signature is relevant. Once promoted the thumbs-up icon turns blue. |
237
-
|| Demote a signature if it's not relevant. Once demoted the thumbs-down icon turns blue. |
238
-
|| Split a signature into multiple signatures to see more granular results. You'll notice that fewer wildcard asterisks will appear. Instead, specific values are included in the signatures. After splitting, the newly split signatures are highlighted. |
239
-
|| Edit the signature. After editing, the signature is highlighted. |
237
+
|<img src={useBaseUrl('img/search/logcompare/promote.png')} alt="promote" style={{border: '1px solid gray'}} width="50" />| Promote a signature if the data included in the signature is relevant. Once promoted the thumbs-up icon turns blue. |
238
+
|<img src={useBaseUrl('img/search/logcompare/demote.png')} alt="demote" style={{border: '1px solid gray'}} width="50" />| Demote a signature if it's not relevant. Once demoted the thumbs-down icon turns blue. |
239
+
|<img src={useBaseUrl('img/search/logcompare/split.png')} alt="split" style={{border: '1px solid gray'}} width="50" />| Split a signature into multiple signatures to see more granular results. You'll notice that fewer wildcard asterisks will appear. Instead, specific values are included in the signatures. After splitting, the newly split signatures are highlighted. |
240
+
|<img src={useBaseUrl('img/search/logcompare/edit.png')} alt="edit" style={{border: '1px solid gray'}} width="50" />| Edit the signature. After editing, the signature is highlighted. |
240
241
241
242
### Signature
242
243
@@ -276,4 +277,4 @@ When selecting the time range of your search, keep in mind:
276
277
277
278
By default, LogCompare email notifications provide details on the **Score**, **Count**, and **Signature**, as shown in the following email example. This is not configurable.
Copy file name to clipboardExpand all lines: docs/search/behavior-insights/logexplain.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,8 @@ title: LogExplain
4
4
description: Group by the keys of JSON or keyvalue logs.
5
5
---
6
6
7
+
import useBaseUrl from '@docusaurus/useBaseUrl';
8
+
7
9
The **LogExplain** operator allows you to compare sets of structured logs based on events you are interested in. Structured logs can be in JSON, CSV, key-value, or any structured format. Often logs relevant to troubleshooting and security insights are scattered among other logs that show the expected behavior and performance. These logs normally consist of different content, where it is helpful to see which values occur more often in events of interest versus normal operation logs. For example, events of interest often contain information relevant to persistent errors, excess load, and high latency.
8
10
9
11
You will need to specify an event of interest as a conditional statement, this is called the Event Condition. You can specify a condition to compare against the event-of-interest condition, this is called the Against Condition. If no Against Condition is provided, LogExplain will generate the comparison data set based on the fields in your Event Condition.
@@ -125,7 +127,7 @@ _sourceCategory=*cloudtrail*
125
127
126
128
Results show the relevance of each explanation:
127
129
128
-
130
+
<img src={useBaseUrl('img/search/behavior-insights/cloudtrail-example-logexplain.png')} alt="CloudTrail example with LogExplain" style={{border: '1px solid gray'}} width="800" />
Copy file name to clipboardExpand all lines: docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,8 @@ title: Detect Patterns with LogReduce
4
4
description: LogReduce groups messages with similar structures and common repeated text strings into signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided.
5
5
---
6
6
7
+
import useBaseUrl from '@docusaurus/useBaseUrl';
8
+
7
9
The LogReduce® algorithm uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into **signatures**, providing a quick investigative view, or snapshot, for the keywords or time range provided.
8
10
9
11
The **Signatures** tab displays LogReduce results as signatures. A signature is basically a reflection of the logs grouped by LogReduce—not all logs grouped in a signature will exactly match it. Within a signature, fields that vary are displayed with wildcard placeholders (`**********`) while other fields, such as timestamp (and some URLs) are ignored and replaced with placeholder variables such as `$DATE` and `$URL`.
@@ -30,7 +32,7 @@ The logreduce operator cannot be used with group-by functions such as "count b
30
32
* Rate the relevance of signatures by promoting or demoting them under the available **Actions**.
31
33
* Change signatures by clicking the pencil icon.
32
34
* Split signatures that should not be grouped by clicking on the split arrows.
33
-
* To export the results, click the **Export** icon. Then click **Download** to save the file to your computer.<br/>
35
+
* To export the results, click the **Export** icon. Then click **Download** to save the file to your computer.<br/><img src={useBaseUrl('img/search/logreduce/logreduceicons.png')} alt="Logreduce Icons" style={{border: '1px solid gray'}} width="800" />
34
36
1. Promote, Demote, Split, and Edit icons.
35
37
1. Undo and Redo icons.
36
38
1. Click to view messages for the selected signature.
Copy file name to clipboardExpand all lines: docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md
+11-16Lines changed: 11 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,7 @@ title: Influence the LogReduce Outcome
4
4
description: You can influence the algorithm by editing a signature to make the results more general, or see more granular results by splitting a signature.
5
5
---
6
6
7
+
import useBaseUrl from '@docusaurus/useBaseUrl';
7
8
8
9
The algorithm used for the LogReduce® operator uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into **Signatures**, providing a quick investigative view, or snapshot, for the keywords or time range provided. LogReduce data is based on the data available to the algorithm during the time range of your search.
9
10
@@ -13,26 +14,20 @@ The following icons allow you to change the results of a LogReduce report:
13
14
14
15
| Icon | Action |
15
16
| :-- | :-- |
16
-
|| Promote a signature to the top position of the **Signatures** tab. |
17
-
|| Demote a signature to move it to the bottom of the last page of the **Signatures** tab. |
18
-
|| Split a signature into multiple signature. |
19
-
|| Edit the signature. |
20
-
|| Undo the last action or step back through the history of changes. |
21
-
|| Redo the last action. Repeat to redo the history of undos. |
17
+
|<img src={useBaseUrl('img/search/logreduce/Promote.png')} alt="Promote" width="50" />| Promote a signature to the top position of the **Signatures** tab. |
18
+
|<img src={useBaseUrl('img/search/logreduce/Demote.png')} alt="Demote" width="50" />| Demote a signature to move it to the bottom of the last page of the **Signatures** tab. |
19
+
|<img src={useBaseUrl('img/search/logreduce/Split.png')} alt="Split" width="50" />| Split a signature into multiple signature. |
20
+
|<img src={useBaseUrl('img/search/logreduce/Edit.png')} alt="Edit" width="50" />| Edit the signature. |
21
+
|<img src={useBaseUrl('img/search/logreduce/Undo.png')} alt="Undo" width="50" />| Undo the last action or step back through the history of changes. |
22
+
|<img src={useBaseUrl('img/search/logreduce/Redo.png')} alt="Redo" width="50" />| Redo the last action. Repeat to redo the history of undos. |
22
23
23
24
## Promoting or Demoting a LogReduce Signature
24
25
25
26
Relevance is one factor in LogReduce, but it is a global factor. Members of your org can promote and demote signatures related to your Search.
26
27
27
28
To influence the relevance of signatures, select the **Signatures** tab and:
28
-
29
-
***Promote** a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.
***Promote** a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.<br/><img src={useBaseUrl('img/search/logreduce/LogReducePromote.png')} alt="LogReduce Promote" style={{border: '1px solid gray'}} width="800" />
30
+
***Demote** a signature by clicking the Thumbs-Down icon for a signature to indicate that this signature is not relevant to you.<br/><img src={useBaseUrl('img/search/logreduce/LogReduceDemote.png')} alt="LogReduce Demote" style={{border: '1px solid gray'}} width="800" />
36
31
37
32
If no one in your account has ever promoted or demoted a signature the default [relevance score](understand-the-logreduce-relevance-column.md) calculated by Sumo Logic is displayed. If you have never promoted or demoted a signature but someone else in your account has, then you will see the global setting for this signature. If you have promoted or demoted a signature, then you will see your personally calculated relevance score.
38
33
@@ -50,10 +45,10 @@ After you split a signature, the position of the signatures may move (one may ev
50
45
51
46
For example, in your Windows logs you've selected a signature to split. The Category shouldn't be generic; by splitting the signature you should get more specific results.
Copy file name to clipboardExpand all lines: docs/search/behavior-insights/logreduce/logreduce-keys.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,7 @@ title: LogReduce Keys
4
4
description: Group by the keys of JSON or keyvalue logs.
5
5
---
6
6
7
+
import useBaseUrl from '@docusaurus/useBaseUrl';
7
8
8
9
The **LogReduce Keys** operator allows you to quickly explore JSON or key-value formatted logs by schemas. If you have a large volume of JSON or key-value logs with different formats and aren't sure which ones you need to focus on, this operator can process them into their object schemas so you can review which ones are relevant to your needs.
Copy file name to clipboardExpand all lines: docs/search/behavior-insights/logreduce/logreduce-operator.md
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,8 @@ title: LogReduce Operator
4
4
description: The LogReduce Operator allows you to quickly assess activity patterns for things like a range of devices or traffic on a website.
5
5
---
6
6
7
+
import useBaseUrl from '@docusaurus/useBaseUrl';
8
+
7
9
:::important
8
10
The summarize operator has been renamed the LogReduce operator, to match the **LogReduce** button on the **Messages** tab. Both operators will continue to work in search queries as synonyms for a limited time. We recommend that you rewrite saved queries replacing summarize with logreduce.
9
11
:::
@@ -22,10 +24,7 @@ For information on how to interpret and influence the outcome of LogReduce resul
22
24
When you've already run a search query with non-aggregate results, you can use the **LogReduce** button in the **Messages** tab to automatically apply the LogReduce operator to the current results.
23
25
24
26
1. Run a search query with non-aggregate results.
25
-
1. In the **Messages** tab, the **LogReduce** button displays. Click it to automatically apply the LogReduce operator to your results.
1. In the **Messages** tab, the **LogReduce** button displays. Click it to automatically apply the LogReduce operator to your results.<br/><img src={useBaseUrl('img/search/logreduce/logreduce-button.png')} alt="Button" style={{border: '1px solid gray'}} width="400" />
29
28
1. The **Signatures** tab is displayed with your results.
30
29
31
30
### Rules
@@ -52,7 +51,7 @@ After running a LogReduce operation, from the **Signatures** tab, you can view
52
51
* Click the number in the **Count** column for a signature.
53
52
* Check the checkboxes in the **Select** column for any number of signatures and click the **View Details** button on the top right of the table.
0 commit comments