You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*`window` is the range over which to calculate the moving average and standard deviation of the time series. `window` can be specified with time units (s, m, h), or it can be specified without time units. Default: 5m.
24
-
:::note
25
-
If you use `outlier` in the Classic Metrics UI, if you specify the `window` parameter without supplying a unit of time, the window duration applied will be in the units used in the [quantization](docs/metrics/introduction/metric-quantization.md) of the query.
23
+
*`window` is the range over which to calculate the moving average and standard deviation of the time series. `window` can be specified with time units (s, m, h), or it can be specified without time units. Default: 5m.
26
24
*`threshold` is the number of standard deviations from the moving average that defines the threshold band. Default: 3
27
-
*`direction` specifies what deviation direction should trigger violations: positive deviations (+), negative deviations (-), or both (+-). Default: +-
25
+
*`direction` specifies what deviation direction should trigger violations: positive deviations (`+`), negative deviations (`-`), or both (`+-`). Default: `+-`.
Copy file name to clipboardExpand all lines: docs/search/get-started-with-search/search-basics/comments-search-queries.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,6 +33,8 @@ The following is a multi-line comment.
33
33
34
34
35
35
36
-
## Pro Tip: Sumo Logic App Queries as Examples
36
+
## Pro Tip: Leverage pre-built Sumo Logic app queries
37
37
38
-
Sumo Logic Apps are a great resource of example search queries. You can review and even [run searches from Sumo Logic Apps](/docs/get-started/apps-integrations#run-searches-from-sumo-logic-apps) without installing them. To view available Sumo Logic Apps, click the **Library** icon <img src={useBaseUrl('img/reuse/library-icon.png')} alt="Library icon" style={{border: '1px solid gray'}} width="30" /> at the top of the UI (**Library > Apps** in the classic UI). You can also [copy content from the Library](/docs/get-started/library), and use it as a starting point to create your own queries. When you do that, you can comment out the aggregation lines of the query and replace them with your own. You can also delete them of course, but commenting them out instead would make them available for reference later.
38
+
Sumo Logic apps are a great resource for example search queries. You can preview and even [run a Log Search a from Sumo Logic app](/docs/get-started/apps-integrations#run-searches-from-sumo-logic-apps) without installing it.
39
+
40
+
To view available Sumo Logic apps, click the **Library** icon <img src={useBaseUrl('img/reuse/library-icon.png')} alt="Library icon" style={{border: '1px solid gray'}} width="30" /> at the top of the UI (**Library > Apps** in the Classic UI). You can also [copy content from the Library](/docs/get-started/library), and use it as a starting point to create your own queries. When you do that, you can comment out the aggregation lines of the query and replace them with your own. You can also delete them of course, but commenting them out instead would make them available for reference later.
description: Processing rules filter and can forward data sent to Sumo Logic from a Source.
4
+
description: Use processing rules to filter and forward data sent from a source to Sumo Logic.
5
5
---
6
6
7
-
There are two user interfaces (UI) to create a Processing Rule, classic and new. The new interface is only available on certain Sources and is being released incrementally. Each UI is documented in a separate tab below.
7
+
This document describes how to create a processing rule.
8
8
9
-
<Tabs
10
-
className="unique-tabs"
11
-
defaultValue="new-ui"
12
-
values={[
13
-
{label: 'New UI', value: 'new-ui'},
14
-
{label: 'Classic UI', value: 'classic-ui'},
15
-
]}>
16
-
17
-
<TabItemvalue="new-ui">
18
-
19
-
## New interface for Hosted Collector Sources
20
-
21
-
You can add a processing rule to an existing Source or create a processing rule when you configure a new Source.
22
-
23
-
1. To create a processing rule for an existing Source, go to **Manage Data** > **Collection** > **Collection** and click **Edit** next to a Source. When configuring your new or existing Source, click the **\+ Add Filter** or **\+ Add****Action** text in the **Processing Rules** section.
24
-
25
-
* A filter is either an allowlist or denylist rule.
1. Once clicked, the configuration options are displayed.
30
-
31
-
9
+
You can add a processing rule to an existing Source or create one when you configure a new Source.
32
10
11
+
1. To create a processing rule for an existing Source, go to **Manage Data** > **Collection** > **Collection** and click **Edit** next to a Source. When configuring your new or existing Source, click the **\+ Add Filter** or **\+ Add****Action** text in the **Processing Rules** section.
12
+
* A filter is either an allowlist or denylist rule.
13
+
* An action is either a hash or mask rule.<br/>
14
+
1. Once clicked, the configuration options are displayed.<br/> 
33
15
1. Give a meaningful **Name** to your rule. Names can be up to 32 characters long.
34
16
1. Choose the **Type** of processing rule you'd like to create:
35
17
* Filters have the option to:
@@ -39,58 +21,9 @@ You can add a processing rule to an existing Source or create a processing rule
39
21
*[Hash messages that match](hash-rules.md). Replace a message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it is fully hidden.
40
22
*[Mask messages that match](mask-rules.md). Replace an expression with a mask string that you can customize—another option to protect data, such as passwords, that you'dn't normally track.
41
23
1. For **Filter**, type a regular expression that defines the messages you want to filter. The rule must match the whole message.
42
-
43
24
For multi-line log messages, to get the lines before and after the line containing your text, wrap the segment with **(?s).\*** such as: **(?s).\*matching text(?s).\***
44
-
45
25
:::note
46
-
Your regex must be [RE2 compliant.](https://github.com/google/re2/wiki/Syntax)
26
+
Your regex must be [RE2 compliant](https://github.com/google/re2/wiki/Syntax).
47
27
:::
48
-
49
-
1. To remove a filter or action click the trash can icon.
50
-
51
-
52
-
28
+
1. To remove a filter or action, click the trash can icon.<br/> 
53
29
1. When you are finished adding all the rules you need, click **Submit**.
54
-
55
-
</TabItem>
56
-
<TabItemvalue="classic-ui">
57
-
58
-
59
-
## Original interface
60
-
61
-
1. To create a processing rule for an existing Source, go to **Manage Data** > **Collection** > **Collection** and click **Edit** next to a Source. When configuring your new or existing Source, expand the **Processing Rules for Logs** section and then click **Add Rule**.
1. Give a meaningful **Name** to your rule. Names can be up to 32 characters long.
70
-
1. For **Filter**, type a regular expression that defines the messages you want to filter. The rule must match the whole message.
71
-
72
-
* For multi-line log messages, to get the lines before and after the line containing your text, wrap the segment with `(?s).` such as:`(?s).*matching text(?s).`
73
-
74
-
:::note
75
-
Your regex must be [RE2 compliant](https://github.com/google/re2/wiki/Syntax).
76
-
:::
77
-
78
-
1. Choose the **Type** of processing rule you'd like to create:
79
-
80
-
*[Exclude messages that match](include-and-exclude-rules.md). Remove messages that you do not want to send to Sumo Logic at all, think of it as a "denylist" filter. These messages are skipped after reaching the Source and are not uploaded to Sumo Logic.
81
-
*[Include messages that match](include-and-exclude-rules.md). Send only the data you'd like in your Sumo Logic account, think of it as an "allowlist" filter. This type of filter can be very useful when the list of log data you want to send to Sumo Logic is easier to filter than setting up exclude filters for all of the types of messages you'd like to exclude, for example, if you only want to include only messages coming from a firewall.
82
-
*[Hash messages that match](hash-rules.md). Replace a message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it is fully hidden.
83
-
*[Mask messages that match](mask-rules.md). Replace an expression with a mask string that you can customize—another option to protect data, such as passwords, that you'dn't normally track.
84
-
* Forward messages that match. Send data from an Installed Collector Source to a selected non-Sumo location. This option is only available if you have configured a data forwarding destination. For more information, see [Forward Data from an Installed Collector](/docs/manage/data-forwarding/installed-collectors).
85
-
86
-
1. Click **Apply** to add the rule. Continue to add rules as needed.
87
-
88
-
1. When you are finished adding all the rules you need, click **Submit**.
0 commit comments