})
Once clicked, a new search is opened with the `logcompare` operator and the specified `timeshift` added to your query, for example:
@@ -50,17 +52,17 @@ Once clicked, a new search is opened with the `logcompare` operator and the spec
A new tab labeled **Signatures** is provided with the compared results.
-
+})
#### Custom option
Click the dropdown arrow next to the **LogCompare** button and select **Custom**.
-
+})
In the **Custom LogCompare** dialog, you can specify the target and baseline query independently, including their time ranges.
-
+})
* **Baseline Query** is your historical query.
* **Time Shift** is the Time Shift of the Baseline Query, and it controls when the Baseline Query runs. If the Time Shift is -2d, that means that it will run for the exact Time Range duration (1 minute, in this query), but two days in the past.
@@ -166,14 +168,13 @@ error | logcompare timeshift -1d
After running a query with LogCompare your results are displayed in the **Signatures** tab of the Search page. You will have a table with **Count**, **Score**, **Actions**, and **Signature** columns.
-
-
+})
### Count
**Count** is the number of raw logs that were clustered into the signature from the target query.
-
+})
The **count** column shows the following:
@@ -185,11 +186,11 @@ You will see that some clusters are **new** and some are **gone** especially i
New signatures have their column highlighted:
-
+})
Gone signatures look like the following:
-
+})
The following table illustrates the way **Count** results are calculated. For example, if the baseline query returns signatures A, B, C, and D while the target includes A, B, D, and E signatures, your results would look like the following:
@@ -209,7 +210,7 @@ Using the **details** option launches a new query adding a unique signature ID
After running a LogCompare search, from the **Signatures** tab, you can view logs grouped together in a signature. To see the raw log data from signatures click the blue underlined number in the **Count** column. A new log search is opened with the details option set against the selected signature.
-
+})
Details option syntax:
@@ -222,7 +223,7 @@ The **Score** column is calculated based on the significance of the change in
The value is calculated using a symmetric version of [Kullback-Leibler divergence score](https://en.wikipedia.org/wiki/Kullback%E2%80%93Leibler_divergence).
-
+})
### Actions
@@ -233,10 +234,10 @@ The following table explains the icons in the **Actions** column.
| Icon | Action |
|:---|:---|
-|  | Promote a signature if the data included in the signature is relevant. Once promoted the thumbs-up icon turns blue. |
-|  | Demote a signature if it's not relevant. Once demoted the thumbs-down icon turns blue. |
-|  | Split a signature into multiple signatures to see more granular results. You'll notice that fewer wildcard asterisks will appear. Instead, specific values are included in the signatures. After splitting, the newly split signatures are highlighted. |
-|  | Edit the signature. After editing, the signature is highlighted. |
+| })
| Promote a signature if the data included in the signature is relevant. Once promoted the thumbs-up icon turns blue. |
+| })
| Demote a signature if it's not relevant. Once demoted the thumbs-down icon turns blue. |
+| })
| Split a signature into multiple signatures to see more granular results. You'll notice that fewer wildcard asterisks will appear. Instead, specific values are included in the signatures. After splitting, the newly split signatures are highlighted. |
+| })
| Edit the signature. After editing, the signature is highlighted. |
### Signature
@@ -276,4 +277,4 @@ When selecting the time range of your search, keep in mind:
By default, LogCompare email notifications provide details on the **Score**, **Count**, and **Signature**, as shown in the following email example. This is not configurable.
-
+})
diff --git a/docs/search/behavior-insights/logexplain.md b/docs/search/behavior-insights/logexplain.md
index 302d657173..a6516ae207 100644
--- a/docs/search/behavior-insights/logexplain.md
+++ b/docs/search/behavior-insights/logexplain.md
@@ -4,6 +4,8 @@ title: LogExplain
description: Group by the keys of JSON or keyvalue logs.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The **LogExplain** operator allows you to compare sets of structured logs based on events you are interested in. Structured logs can be in JSON, CSV, key-value, or any structured format. Often logs relevant to troubleshooting and security insights are scattered among other logs that show the expected behavior and performance. These logs normally consist of different content, where it is helpful to see which values occur more often in events of interest versus normal operation logs. For example, events of interest often contain information relevant to persistent errors, excess load, and high latency.
You will need to specify an event of interest as a conditional statement, this is called the Event Condition. You can specify a condition to compare against the event-of-interest condition, this is called the Against Condition. If no Against Condition is provided, LogExplain will generate the comparison data set based on the fields in your Event Condition.
@@ -125,7 +127,7 @@ _sourceCategory=*cloudtrail*
Results show the relevance of each explanation:
-
+})
### Windows Credentials
diff --git a/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md b/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md
index 77c110e7c5..15319c09ca 100644
--- a/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md
+++ b/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md
@@ -4,6 +4,8 @@ title: Detect Patterns with LogReduce
description: LogReduce groups messages with similar structures and common repeated text strings into signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The LogReduce® algorithm uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into **signatures**, providing a quick investigative view, or snapshot, for the keywords or time range provided.
The **Signatures** tab displays LogReduce results as signatures. A signature is basically a reflection of the logs grouped by LogReduce—not all logs grouped in a signature will exactly match it. Within a signature, fields that vary are displayed with wildcard placeholders (`**********`) while other fields, such as timestamp (and some URLs) are ignored and replaced with placeholder variables such as `$DATE` and `$URL`.
@@ -30,7 +32,7 @@ The logreduce operator cannot be used with group-by functions such as "count b
* Rate the relevance of signatures by promoting or demoting them under the available **Actions**.
* Change signatures by clicking the pencil icon.
* Split signatures that should not be grouped by clicking on the split arrows.
- * To export the results, click the **Export** icon. Then click **Download** to save the file to your computer.})
1. Promote, Demote, Split, and Edit icons.
1. Undo and Redo icons.
1. Click to view messages for the selected signature.
diff --git a/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md b/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md
index 5040bc5306..34c5bc8008 100644
--- a/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md
+++ b/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md
@@ -4,6 +4,7 @@ title: Influence the LogReduce Outcome
description: You can influence the algorithm by editing a signature to make the results more general, or see more granular results by splitting a signature.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
The algorithm used for the LogReduce® operator uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into **Signatures**, providing a quick investigative view, or snapshot, for the keywords or time range provided. LogReduce data is based on the data available to the algorithm during the time range of your search.
@@ -13,26 +14,20 @@ The following icons allow you to change the results of a LogReduce report:
| Icon | Action |
| :-- | :-- |
-|  | Promote a signature to the top position of the **Signatures** tab. |
-|  | Demote a signature to move it to the bottom of the last page of the **Signatures** tab. |
-|  | Split a signature into multiple signature. |
-|  | Edit the signature. |
-|  | Undo the last action or step back through the history of changes. |
-|  | Redo the last action. Repeat to redo the history of undos. |
+| })
| Promote a signature to the top position of the **Signatures** tab. |
+| })
| Demote a signature to move it to the bottom of the last page of the **Signatures** tab. |
+| })
| Split a signature into multiple signature. |
+| })
| Edit the signature. |
+| })
| Undo the last action or step back through the history of changes. |
+| })
| Redo the last action. Repeat to redo the history of undos. |
## Promoting or Demoting a LogReduce Signature
Relevance is one factor in LogReduce, but it is a global factor. Members of your org can promote and demote signatures related to your Search.
To influence the relevance of signatures, select the **Signatures** tab and:
-
-* **Promote** a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.
-
- 
-
-* **Demote** a signature by clicking the Thumbs-Down icon for a signature to indicate that this signature is not relevant to you.
-
- 
+* **Promote** a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.})
+* **Demote** a signature by clicking the Thumbs-Down icon for a signature to indicate that this signature is not relevant to you.})
If no one in your account has ever promoted or demoted a signature the default [relevance score](understand-the-logreduce-relevance-column.md) calculated by Sumo Logic is displayed. If you have never promoted or demoted a signature but someone else in your account has, then you will see the global setting for this signature. If you have promoted or demoted a signature, then you will see your personally calculated relevance score.
@@ -50,10 +45,10 @@ After you split a signature, the position of the signatures may move (one may ev
For example, in your Windows logs you've selected a signature to split. The Category shouldn't be generic; by splitting the signature you should get more specific results.
-
+})
After splitting, you will see that each signature has specific data:
-
+})
diff --git a/docs/search/behavior-insights/logreduce/logreduce-keys.md b/docs/search/behavior-insights/logreduce/logreduce-keys.md
index a0cdfba5b0..0e2746b1c2 100644
--- a/docs/search/behavior-insights/logreduce/logreduce-keys.md
+++ b/docs/search/behavior-insights/logreduce/logreduce-keys.md
@@ -4,6 +4,7 @@ title: LogReduce Keys
description: Group by the keys of JSON or keyvalue logs.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
The **LogReduce Keys** operator allows you to quickly explore JSON or key-value formatted logs by schemas. If you have a large volume of JSON or key-value logs with different formats and aren't sure which ones you need to focus on, this operator can process them into their object schemas so you can review which ones are relevant to your needs.
@@ -102,6 +103,6 @@ _sourceCategory=*cloudtrail* *AccessDenied*
The schemas returned in your results are sorted based on the alphabetical ordering of keys to allow easy identification of changes in patterns.
-
+})
Next, use [LogReduce Values](/docs/search/behavior-insights/logreduce/logreduce-values) to explore the schema based on specific keys.
diff --git a/docs/search/behavior-insights/logreduce/logreduce-operator.md b/docs/search/behavior-insights/logreduce/logreduce-operator.md
index 38907dd407..c5d583b782 100644
--- a/docs/search/behavior-insights/logreduce/logreduce-operator.md
+++ b/docs/search/behavior-insights/logreduce/logreduce-operator.md
@@ -4,6 +4,8 @@ title: LogReduce Operator
description: The LogReduce Operator allows you to quickly assess activity patterns for things like a range of devices or traffic on a website.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
:::important
The summarize operator has been renamed the LogReduce operator, to match the **LogReduce** button on the **Messages** tab. Both operators will continue to work in search queries as synonyms for a limited time. We recommend that you rewrite saved queries replacing summarize with logreduce.
:::
@@ -22,10 +24,7 @@ For information on how to interpret and influence the outcome of LogReduce resul
When you've already run a search query with non-aggregate results, you can use the **LogReduce** button in the **Messages** tab to automatically apply the LogReduce operator to the current results.
1. Run a search query with non-aggregate results.
-1. In the **Messages** tab, the **LogReduce** button displays. Click it to automatically apply the LogReduce operator to your results.
-
- 
-
+1. In the **Messages** tab, the **LogReduce** button displays. Click it to automatically apply the LogReduce operator to your results.})
1. The **Signatures** tab is displayed with your results.
### Rules
@@ -52,7 +51,7 @@ After running a LogReduce operation, from the **Signatures** tab, you can view
* Click the number in the **Count** column for a signature.
* Check the checkboxes in the **Select** column for any number of signatures and click the **View Details** button on the top right of the table.
-
+})
Details option syntax:
diff --git a/docs/search/behavior-insights/logreduce/logreduce-values.md b/docs/search/behavior-insights/logreduce/logreduce-values.md
index 2fdd241dde..a06df9a94a 100644
--- a/docs/search/behavior-insights/logreduce/logreduce-values.md
+++ b/docs/search/behavior-insights/logreduce/logreduce-values.md
@@ -4,7 +4,7 @@ title: LogReduce Values
description: Group by the values of specific keys in JSON logs.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
The **LogReduce Values** operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. Unlike the [LogReduce Keys operator](/docs/search/behavior-insights/logreduce/logreduce-keys), you need to specify the keys you want to explore. The values of each specified key are parsed and aggregated for you to explore.
@@ -42,7 +42,7 @@ There are two methods you have to use the details option:
* Click on the `_count` field value from the LogReduce Values search results.
- 
+ })
A new search is created with the necessary identifiers from your initial LogReduce Values search. The search contains all of the raw logs from the selected data cluster.
@@ -142,7 +142,7 @@ _sourceCategory=*cloudtrail* *AccessDenied*
Results show each unique signature:
-
+})
Next, use [LogExplain](../logexplain.md) to analyze which users, IP addresses, AWS regions, and S3 event names most explain the S3 Access Denied error based on their prevalence in AWS CloudTrail logs that contain S3 Access Denied errors versus logs that do not contain these errors.
diff --git a/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column.md b/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column.md
index 3093bc4ba8..482dbdd532 100644
--- a/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column.md
+++ b/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column.md
@@ -5,6 +5,8 @@ sidebar_label: LogReduce Relevance Column
description: The LogReduce Relevance column displays a numerical score for a signature, predicting which signatures could be most meaningful.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
:::important
The summarize operator has been renamed the logreduce operator, to match the **LogReduce** button on the **Messages** tab. Both operators will continue to work in search queries as synonyms for a limited time. We recommend that you rewrite saved queries replacing summarize with
logreduce.
@@ -15,7 +17,7 @@ user. The Relevance value is computed using your history of [feedback](../logre
LogReduce uses the similarity of signature content (the words in a signature) to predict relevance for signatures, even if a signature hasn’t yet been promoted or demoted a specific signature. For example, if a user has promoted a number of signatures that contain the word “database” then new signatures containing “database” will be scored higher.
-
+})
## What do the Relevance values mean?
diff --git a/docs/search/get-started-with-search/build-search/dynamic-parsing.md b/docs/search/get-started-with-search/build-search/dynamic-parsing.md
index 8f1e32d5f1..2ae2dab39d 100644
--- a/docs/search/get-started-with-search/build-search/dynamic-parsing.md
+++ b/docs/search/get-started-with-search/build-search/dynamic-parsing.md
@@ -12,11 +12,11 @@ Dynamic Parsing (Auto Parse Mode) allows automatic field extraction from your JS
Dynamic Parsing extracts JSON fields when you run a query, at search time (run time). Dynamic Parsing for JSON can be thought of as a Run Time field extraction rule (FER). By default, your account is given one Run Time FER that encompasses all of your data.
-
+})
With this FER defined, any search on JSON data will automatically parse out its JSON fields, which you can then use within your search query, exactly like any other field. You have an option on the Search Page that allows you to control Dynamic Parsing. Dynamic Parsing is activated when a search is run in **Auto Parse Mode**.
-})
+})
1. Enter the following options:
* **Rule Name**. Type a name that makes it easy to identify the rule.
* **Applied At**. Select **Run Time**.
@@ -68,15 +68,15 @@ The [field browser](/docs/search/get-started-with-search/search-page/field-brows
### Field browser
-* A search input field allows you to search for fields by name.})
-* JSON structures are nested with expand and collapse options.})
+* A copy button is available to the right of each field allowing you to easily copy a field name.})
### Search results table
-* You can copy field names from JSON structures. After selecting (click and highlight) a JSON key in your results, right click and select **Copy field name**. See [modifying a search from the messages tab](/docs/search/get-started-with-search/search-page/modify-search-from-messages-tab) for details on the other provided options. })
* Copying a field name using this option will automatically format [field names that have special characters](/docs/search/get-started-with-search/search-basics/reference-field-special-characters). For example, the field name shown in the screenshot is **total time-series**, it would be automatically formatted to **%"total time-series"** to work properly in a search query.
-* A copy button is available to the right of each column (field) name allowing you to easily copy a field name. })
## User-Parsed Fields
diff --git a/docs/search/get-started-with-search/build-search/search-templates.md b/docs/search/get-started-with-search/build-search/search-templates.md
index 4e67b604c0..150b9a64f9 100644
--- a/docs/search/get-started-with-search/build-search/search-templates.md
+++ b/docs/search/get-started-with-search/build-search/search-templates.md
@@ -3,6 +3,8 @@ id: search-templates
title: Search Templates
description: Search templates narrow down your queries into a few parameters that other users can edit to find the data they need.
---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
import Iframe from 'react-iframe';
Search templates can help you simplify searches for your users by giving them a few easy input choices. You can have search templates replace any text in a query, including fields, keywords, and arguments to operators. You can also determine what type of information is valid such as text, strings, and keywords.
@@ -34,7 +36,7 @@ Watch this micro lesson to learn how to use search template parameters.
From any query you create, or an existing one you manage, you can create a search template and specify parameters.
1. Open your query.
-1. Highlight the field, argument, or operator you want to replace and click **Create a parameter** or **alt+v** if you want to use the keyboard shortcut. })
:::note
You can create a maximum of 10 parameters inside a search.
:::
@@ -47,13 +49,13 @@ From any query you create, or an existing one you manage, you can create a searc
| Keyword | Any Sumo Logic keyword. There are some performance benefits to using Sumo Logic keywords so this is a great option to choose if you can. |
1. Optionally, you can set autocomplete values for your parameter by selecting **Set Values for Parameter**. Select a format:
1. For text entries, enter each value on a separate line. Do not use commas to separate values as they will be marked invalid. If the string needs a comma, use quotes in the text entry, such as “abc,xyz”.
- 1. For Label-Value pairs, copy paste the label-value pairs as comma-delimited lines. If you're using a Lookup make sure that you are using a valid [lookup (classic)](/docs/search/search-query-language/search-operators/lookup-classic) file because the system will reject any lookup file path that it cannot validate.})
1. Select the appropriate values for the field, such as user ID.
1. Select values for the corresponding label, such as name. Both **Text** entries and **Label-value** pairs allow amaximum of 10,000 entries. A lookup file can have a maximum of 40,000 entries.
1. For a lookup file, you must enter a valid [lookup (classic)](/docs/search/search-query-language/search-operators/lookup-classic) file that you have [saved](/docs/search/search-query-language/search-operators/save-classic).
1. Under **Select a format**, select **Lookup**.
1. Enter in a valid lookup file or select a shared lookup file from the dropdown.
- 1. Select values for the corresponding label, such as name. })
1. Click **Save.**
1. Share your search with any new users by clicking **Share** underneath your query window.
1. Grant **Edit** access to the users and roles that should use this search template.
@@ -88,7 +90,7 @@ _sourceCategory=service "Successful login from UI"
Next, specify the `user_name` parameter as a lookup that already has the association between our user names and our user IDs, in this case `/shared/angad/user_info_lookup`:
-1. Enter in a valid [lookup (classic)](/docs/search/search-query-language/search-operators/lookup-classic) file that you have [saved](/docs/search/search-query-language/search-operators/save-classic) with the save operator. })
1. Select the appropriate values for the field, such as user ID.
1. Select values for the corresponding label, such as name.
1. Click **Save**.
@@ -124,7 +126,7 @@ _sourceCategory=apache_error
| count by _timeslice
```
-
+})
**Save**. You now have a parameter for your search that allows users to just pick the timeslice from a list of values you feel is appropriate for the query.
diff --git a/docs/search/get-started-with-search/build-search/set-time-range.md b/docs/search/get-started-with-search/build-search/set-time-range.md
index 3f3622a183..2f1bda4036 100644
--- a/docs/search/get-started-with-search/build-search/set-time-range.md
+++ b/docs/search/get-started-with-search/build-search/set-time-range.md
@@ -5,20 +5,16 @@ sidebar_label: Set the Time Range
description: You can adjust the time range for searches and metrics to get the information that will be of most use.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
To set the time range for searches or metrics visualizations, click the time area.
-
+})
The current time range is displayed, along with the following options to set the time:
-* **Relative**. Select an interval relative to the current time. The display is updated as soon as you make a selection. You can enter absolute time and dates.
-
- 
-
-* **Custom**. Click a date to select it as the start date, then move your cursor to the desired end date and click to select it. The date settings shown below the calendar are updated. You can scroll to navigate between months or click to go to a specific month. To specify the time, highlight the portion of the time value you want to change, and modify the entry.
-
- 
-
+* **Relative**. Select an interval relative to the current time. The display is updated as soon as you make a selection. You can enter absolute time and dates.})
+* **Custom**. Click a date to select it as the start date, then move your cursor to the desired end date and click to select it. The date settings shown below the calendar are updated. You can scroll to navigate between months or click to go to a specific month. To specify the time, highlight the portion of the time value you want to change, and modify the entry.})
* **Recent**. If you have specified any relative or custom time ranges during your current login session, they are available for selection under **Recent**.
#### Rules
diff --git a/docs/search/get-started-with-search/search-basics/about-search-basics.md b/docs/search/get-started-with-search/search-basics/about-search-basics.md
index 3e75c914e3..61f29e8f03 100644
--- a/docs/search/get-started-with-search/search-basics/about-search-basics.md
+++ b/docs/search/get-started-with-search/search-basics/about-search-basics.md
@@ -4,6 +4,8 @@ title: About Search Basics
description: Sumo Logic search syntax is based on a funnel or "pipeline" concept and it uses logical and familiar operators letting you to create ad hoc queries quickly.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Our Search Syntax is based on a funnel or "pipeline" concept. The wide mouth of the funnel begins with all your current Sumo Logic data, and you narrow the funnel by entering keywords and operators separated by pipes (`|`). Each operator acts on the results from the previous operator so that you can progressively filter and pinpoint your search until you find exactly what you’re looking for.
import Iframe from 'react-iframe';
@@ -47,7 +49,7 @@ Here's an example:
This query means:
-
+})
If the query is valid without the line that is commented out, it will still run when you click **Start**.
@@ -31,7 +31,7 @@ The `where` statement is commented out in the above statement.
The following is a multi-line comment.
-
+})
## Pro Tip: Leverage pre-built Sumo Logic app queries
diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md
index 4626bde09c..aa6a3b1f25 100644
--- a/docs/search/get-started-with-search/search-basics/export-search-results.md
+++ b/docs/search/get-started-with-search/search-basics/export-search-results.md
@@ -4,6 +4,8 @@ title: Export Search Results
description: Export your search results in Sumo Logic to CSV or other formats to share insights, report findings, or use log data outside the platform.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
After your search query completes, you can download up to 100,000 rows of results from your browser as a CSV (comma-separated values) text file. If your results are more than 100,000 rows, then run multiple searches with a shorter time range and export the respective search results.
:::note
@@ -14,7 +16,7 @@ To export search results, you must have a [role](/docs/manage/users-roles) that
From the table view of a completed query, click the **Export Results** icon in the **Aggregates** tab.
-
+})
If the export is successful, your browser will automatically download the data and save it to a CSV file.
@@ -22,11 +24,11 @@ If the export is successful, your browser will automatically download the data
You can export message fields to a CSV file, either just the fields displayed, or all fields, including hidden fields.
-
+})
-Click the gears icon in the top-right corner of the **Messages** tab, and then select **Export** **(Display Fields)** to export only the messages displayed, or **Export (All Fields)** to export all message fields. If the export is successful, your browser will automatically download the data and save it to a CSV file.
+Click the gears icon in the top-right corner of the **Messages** tab, and then select **Export** **(Display Fields)** to export only the messages displayed, or **Export (All Fields)** to export all message fields. If the export is successful, your browser will automatically download the data and save it to a CSV file.
-
+})
:::info
Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` with `eventName:"SearchExported"` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported.
diff --git a/docs/search/get-started-with-search/search-basics/pause-cancel-search.md b/docs/search/get-started-with-search/search-basics/pause-cancel-search.md
index 5e5c1a73d2..251aa7f7bc 100644
--- a/docs/search/get-started-with-search/search-basics/pause-cancel-search.md
+++ b/docs/search/get-started-with-search/search-basics/pause-cancel-search.md
@@ -4,13 +4,13 @@ title: Pause or Cancel a Search
description: When a search is in progress, the options to Cancel or Pause the search appear.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
You can pause or cancel a search when it is in progress. Most users want to cancel a search in progress that is taking too long. You can stop the search and improve your query. You can also pause a search and check timestamps to see what data has been searched so far.
Once you have started your log search the search page will change to provide the options to pause or cancel a search.
-
+})
## Pause a Search
diff --git a/docs/search/get-started-with-search/search-basics/quick-search-collectors-sources.md b/docs/search/get-started-with-search/search-basics/quick-search-collectors-sources.md
index 8e83c99632..d626aaebfc 100644
--- a/docs/search/get-started-with-search/search-basics/quick-search-collectors-sources.md
+++ b/docs/search/get-started-with-search/search-basics/quick-search-collectors-sources.md
@@ -4,17 +4,12 @@ title: Quick Search for Collectors and Sources
description: You can quickly start a search for a Collector, Source, or Source Category from the Manage Collection page.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
You can quickly start a search for a Collector, Source, or Source Category from the **Manage Collection** page.
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. })
1. Click the icon.
- The Search page opens with the Collector, Source, or Source Category prefilled. The search starts running automatically. After the search results are displayed, you can modify the search settings, if needed, as you'd for any other search.
-
- 
+ The Search page opens with the Collector, Source, or Source Category prefilled. The search starts running automatically. After the search results are displayed, you can modify the search settings, if needed, as you'd for any other search.})
diff --git a/docs/search/get-started-with-search/search-basics/search-autocomplete.md b/docs/search/get-started-with-search/search-basics/search-autocomplete.md
index f3337f2d2b..174f77ca21 100644
--- a/docs/search/get-started-with-search/search-basics/search-autocomplete.md
+++ b/docs/search/get-started-with-search/search-basics/search-autocomplete.md
@@ -4,7 +4,7 @@ title: Search Autocomplete
description: On the Search page, as you begin typing to enter a query in the search text box, the search autocomplete dropdown dialog opens to offer suggestions to make query writing easier.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
On the **Search** page, as you begin typing to enter a query in the search text box, the search autocomplete dropdown dialog opens to offer suggestions to make query writing easier.
@@ -12,13 +12,13 @@ RBAC limitations prevent you from seeing options that you are not permitted to s
In the first part of a query, search autocomplete suggests common default queries, keywords, and [metadata](built-in-metadata.md) terms. It also offers the names of Collectors, Sources, and Partitions, which are automatically configured in your system when you create them.
-
+})
As you type, or when you press the space bar, search autocomplete offers the common AND and OR operators. Then after you type the first pipe (`|`) of your query, it suggests more advanced search operators, depending on what you type. The feature also includes links to documentation for search operators and other Sumo Logic features. Click the blue question mark icon to open the Help page on that topic for more information.
As you type, search autocomplete underlines possible typos in your query and suggests corrections. It also colorizes some parts of your query, for easy detection. All suggestions are based on the location of the cursor in the text box.
-
+})
Search autocomplete does not suggest all available Sumo Logic keywords, metadata terms, and search operators. For full details on what is
supported, see [Search Operators](/docs/search/search-query-language/group-aggregate-operators).
diff --git a/docs/search/get-started-with-search/search-basics/search-surrounding-messages.md b/docs/search/get-started-with-search/search-basics/search-surrounding-messages.md
index 8b8998ac4d..5429607d65 100644
--- a/docs/search/get-started-with-search/search-basics/search-surrounding-messages.md
+++ b/docs/search/get-started-with-search/search-basics/search-surrounding-messages.md
@@ -4,6 +4,8 @@ title: Search Surrounding Messages
description: Surrounding messages allow you to investigate events surrounding a message.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Surrounding messages allow you to investigate events surrounding a message from the context of the Host, file name, or category identified enabling you to view the activity for the defined time period.
As you browse results in the **Messages** list, you might come across a message where you'd like to see more context. What other events occurred just before and after this event? What else was happening on this host at the same time? When you search surrounding messages, you capture the context of the current message to gain insight into surrounding activity.
@@ -19,16 +21,12 @@ To search surrounding messages:
same host.
* `_sourceCategory`. Matches messages based on the same user-created metadata.
- 
+ })
-1. Select the time range to search before and after the selected message. Choose one minute, five minutes, or ten minutes. In this example, search will return messages for a ten minute time range (five minutes before, and five minutes after) from the same host and file path as the selected message.
-
- 
-
-A new search tab opens displaying the surrounding messages. Your position in the log file is highlighted:
+1. Select the time range to search before and after the selected message. Choose one minute, five minutes, or ten minutes. In this example, search will return messages for a ten minute time range (five minutes before, and five minutes after) from the same host and file path as the selected message.})
-
+A new search tab opens displaying the surrounding messages. Your position in the log file is highlighted:})
If you lose your place, you can click **Show Original Message** to return to the highlighted message.
diff --git a/docs/search/get-started-with-search/search-basics/share-link-to-search.md b/docs/search/get-started-with-search/search-basics/share-link-to-search.md
index f05564fb9e..01be1814e1 100644
--- a/docs/search/get-started-with-search/search-basics/share-link-to-search.md
+++ b/docs/search/get-started-with-search/search-basics/share-link-to-search.md
@@ -28,18 +28,10 @@ To share a link to a search:
* These will include the current state of the Aggregates tab, so if you have configured a chart, it will be displayed to the user you share it with, depending on their permissions. When you update your chart, a new link is generated.
* **Shareable Search URL**. Copy the top link to share your search as a URL. Another user with access to your account can paste the link into a browser to run your search. If the user is not currently logged into Sumo Logic, he or she will be prompted to log in.
- * **Paste code in the search query box**. If you know that the recipient is logged into Sumo Logic, copy and provide them the bottom code. This code can be pasted into the Search query box of a new Search tab. When you update your chart, a new code is generated.
-
- 
+ * **Paste code in the search query box**. If you know that the recipient is logged into Sumo Logic, copy and provide them the bottom code. This code can be pasted into the Search query box of a new Search tab. When you update your chart, a new code is generated.})
**If the search is saved:** the Share Search dialog provides options to share the link and code in the following way:
- * Click inside the User and Roles field and make selections from the dropdown list.
-
- 
-
- * You can choose to notify users by email and enter a note in the text field. You can also choose to copy and paste the shareable search URL into another form of electronic communication. Or if you know that the recipient is logged into Sumo Logic, the Search Query Box code can be pasted into the Search query box of a new Search.
-
- 
-
+ * Click inside the User and Roles field and make selections from the dropdown list.})
+ * You can choose to notify users by email and enter a note in the text field. You can also choose to copy and paste the shareable search URL into another form of electronic communication. Or if you know that the recipient is logged into Sumo Logic, the Search Query Box code can be pasted into the Search query box of a new Search.})
* For information on publishing a search, see [Publishing a Search from the Library](/docs/get-started/library#search-the-library).
diff --git a/docs/search/get-started-with-search/search-basics/time-range-expressions.md b/docs/search/get-started-with-search/search-basics/time-range-expressions.md
index e2f4cce676..dd7b3c80c5 100644
--- a/docs/search/get-started-with-search/search-basics/time-range-expressions.md
+++ b/docs/search/get-started-with-search/search-basics/time-range-expressions.md
@@ -4,6 +4,8 @@ title: Time Range Expressions
description: When you are building a search query, you have the option to add a time range expression in the time range field.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
When you are building a search query, you have the option to add a time range expression in the time range field.
The last millisecond of the defined time range is not searched. For example, a time range of 6:15 to 6.30 pm will run as 6:15:00:000 to 6:29:59:999.
@@ -14,7 +16,7 @@ Preset values are available to choose from, with **Last 15 Minutes** as the de
Search time ranges use either the default timezone set in your web browser, or the [Default Timezone](../../../get-started/account-settings-preferences.md) setting on the **Preferences** page, if you have set it.
-
+})
## Relative time range expressions
diff --git a/docs/search/get-started-with-search/search-basics/view-traces-search-results.md b/docs/search/get-started-with-search/search-basics/view-traces-search-results.md
index 3d76ec3763..ef289e4c34 100644
--- a/docs/search/get-started-with-search/search-basics/view-traces-search-results.md
+++ b/docs/search/get-started-with-search/search-basics/view-traces-search-results.md
@@ -4,8 +4,10 @@ title: View Traces Search Results
description: Open and review traces from search log results.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
In the Messages tab, some search results may have associated Traces data to review. You can right-click to drill-down and view the Trace View for any log entry with a Trace ID (`trace_id...`) or Span ID (`span_id...`). See View and [Investigate Traces](/docs/apm/traces/view-and-investigate-traces) and [Traces](/docs/apm/traces) for more information.
1. Build and run your search.
-1. In the **Messages** tab, right-click a log line. If tracing data is available, select **Open Trace**. The entry gives you the tracing id.})
+1. The **Trace View** loads for the selected trace.})
* Press the **X** in the selection area to clear a selection.
* Click elsewhere in the histogram to make another selection.
diff --git a/docs/search/get-started-with-search/search-page/field-browser/index.md b/docs/search/get-started-with-search/search-page/field-browser/index.md
index d1ef43f4c8..307a233566 100644
--- a/docs/search/get-started-with-search/search-page/field-browser/index.md
+++ b/docs/search/get-started-with-search/search-page/field-browser/index.md
@@ -51,13 +51,13 @@ You can search for fields in the Field Browser, a feature that is especially us
In our example, we entered **ka** in the Search field and instantly received the following results.
-
+})
## Nested field groupings
Nested fields, such as those seen in JSON and KV, are grouped together based on their innate structure that is easy to traverse. We have used a JSON nested structure in the following example.
-
+})
## Limitations
diff --git a/docs/search/get-started-with-search/search-page/field-browser/search-from-field-browser.md b/docs/search/get-started-with-search/search-page/field-browser/search-from-field-browser.md
index db9890a1b2..2a2e835349 100644
--- a/docs/search/get-started-with-search/search-page/field-browser/search-from-field-browser.md
+++ b/docs/search/get-started-with-search/search-page/field-browser/search-from-field-browser.md
@@ -4,7 +4,7 @@ title: Search from the Field Browser
description: Drilling down into a field from the Field Browser is seamless for non-aggregate queries.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
Depending on the type of field you want to drill down into, you can run searches in two ways:
@@ -19,13 +19,13 @@ The histogram shows the top ten values (by percentage) of a field. If there are
When you click a numerical field the average, minimum, maximum, and standard deviation values are displayed in addition to the top ten values by percentage. Click one of the **DRILLDOWN** search options at the bottom of the pane to start a new search.
-
+})
### Searches for fields containing strings
The histogram shows the top ten values by percentage. Click one of the **DRILLDOWN** search options at the bottom of the pane to start a new search.
-
+})
### Launching a search from the Field Browser
diff --git a/docs/search/get-started-with-search/search-page/field-browser/show-hide-fields-in-field-browser.md b/docs/search/get-started-with-search/search-page/field-browser/show-hide-fields-in-field-browser.md
index 708d14da96..ecf04053ed 100644
--- a/docs/search/get-started-with-search/search-page/field-browser/show-hide-fields-in-field-browser.md
+++ b/docs/search/get-started-with-search/search-page/field-browser/show-hide-fields-in-field-browser.md
@@ -4,11 +4,11 @@ title: Show and Hide Fields in the Field Browser
description: Change the fields that are displayed in search results by showing or hiding in the Field Browser.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
You can change the fields displayed in your search results in the Field Browser. Displayed fields are shown in the **Display Fields** section and are checked, while hidden fields are in the **Hidden Fields** section and do not have a checkmark.
-
+})
Just clicking the checkbox changes the status of a field.
diff --git a/docs/search/get-started-with-search/search-page/index.md b/docs/search/get-started-with-search/search-page/index.md
index 8e4aaefd1a..833ed52a9f 100644
--- a/docs/search/get-started-with-search/search-page/index.md
+++ b/docs/search/get-started-with-search/search-page/index.md
@@ -4,17 +4,19 @@ title: How to Use the Search Page
description: Understand the basic components of the Search window and how they can help you investigate your issues.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
On the Search page, you can enter [simple or complex queries](../search-basics/about-search-basics.md) to search your entire Sumo Logic data repository. You can adjust the size of the search query editor for better visibility into long queries and reduce the size of the editor while examining larger results, making it easier to navigate through your data.
You can also save and select searches from your [Library](/docs/get-started/library). After running a search, your results are displayed in either the **Messages** tab (for raw message data) or the **Aggregates** tab (for grouped results). See [how to navigate through search results](navigate-through-search-results.md).
You can [run a saved search](../search-basics/save-search.md), [pause, or stop searches](../search-basics/pause-cancel-search.md), or [schedule a search to run periodically](../../../alerts/scheduled-searches/schedule-search.md) and notify you of the results.
-
+})
| Letter | Purpose |
|:--|:--|
-| A | [Basic or Advanced mode](search-modes.md) search text box. Advanced mode searches are limited to a maximum of 15,000 characters in length.})
|
| B | [Time range](../build-search/set-time-range.md) of the search. |
| C | Start the search. |
| D | Click the gear icon to open the Search Config menu that has the options to use the [receipt time](../build-search/use-receipt-time.md) and [Auto Parse Mode](../build-search/dynamic-parsing.md). |
@@ -36,7 +38,7 @@ You can [run a saved search](../search-basics/save-search.md), [pause, or stop
In your search query, you'll see that we have separated out important terms in a search for you by color to help you identify them quickly.
-
+})
| Color | Purpose |
|:--|:--|
@@ -47,8 +49,6 @@ In your search query, you'll see that we have separated out important terms in a
## Guide contents
-import useBaseUrl from '@docusaurus/useBaseUrl';
-
In this section, we'll introduce the following concepts:
 -1. In the **Parse Text** dialog box, select any text that you do not want to include in the parsed field. Then click **Extract this value**. For example, to parse just the client URL, select the unique client URL, then select **Click to extract this value.**
 -1. Type a name for the **Field**. This name appears at the top of the parsed column. Field names can contain alphanumeric characters and underscores (`_`). The name must start and end with an alphabet character. Then click **Submit**.
 +1. In the search results, select the text or string you'd like to parse, right click, and click **Parse selected text**.
})
+1. In the **Parse Text** dialog box, select any text that you do not want to include in the parsed field. Then click **Extract this value**. For example, to parse just the client URL, select the unique client URL, then select **Click to extract this value.**})
+1. Type a name for the **Field**. This name appears at the top of the parsed column. Field names can contain alphanumeric characters and underscores (`_`). The name must start and end with an alphabet character. Then click **Submit**.})
:::note
If you do not enter a field name, you'll see an error in the **Search** tab.
:::
diff --git a/docs/search/get-started-with-search/search-page/navigate-through-search-results.md b/docs/search/get-started-with-search/search-page/navigate-through-search-results.md
index a26f204b32..e0756287b1 100644
--- a/docs/search/get-started-with-search/search-page/navigate-through-search-results.md
+++ b/docs/search/get-started-with-search/search-page/navigate-through-search-results.md
@@ -4,20 +4,22 @@ title: Navigate Messages in Search Results
description: When you run a search query, messages display in the Message, Aggregates, or Summarize tabs in the lower half of the browser window.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
When you run a search, the results are displayed in the **Messages** tab. If the search includes an aggregation, an **Aggregates** tab will also be displayed.
-
+})
The **Signatures** tab is shown when using [LogReduce](/docs/search/behavior-insights/logreduce).
-
+})
## Column adjustments
The table columns can be modified by the following:
* **Move a Column.** To move a column, click and hold down your mouse button on the column, then drag it to a new location.
-* **Change column width**. To adjust the column width, click and hold the vertical line separating the columns, and drag it left or right.  +* **Change column width**. To adjust the column width, click and hold the vertical line separating the columns, and drag it left or right.
})
* **Change column height.** Double click the vertical line to the right of a column name to automatically resize the width to fit the content.
* **Pin columns**: You can pin columns in the table, either in the **Messages** tab or the **Aggregates** tab. When a column is pinned, you can scroll to the right and still view it. To pin a column, hover over the column header, and click the pin icon that appears.
@@ -28,7 +30,7 @@ After you’ve pinned a column, the pin icon has a slash through it. You can cli
By default, the **Messages** tab shows the collapsed version of messages with each row showing up to 10 lines. To see the full contents of all log messages, including JSON logs, click the **Expand/Collapse** button on the upper right side of the **Messages** table and choose either **Expand All Rows** or **Expand All Rows And JSON** option.
-
+})
Click **Expand/Collapse** on the upper right side of the **Messages** table, then select **Collapse All Rows** to switch back to the initial collapsed view.
@@ -36,7 +38,7 @@ Click **Expand/Collapse** on the upper right side of the **Messages** table, the
The **Messages** tab allows you to right-click a table cell to copy the raw message to your clipboard.
-
+})
## Keyboard accessibility
@@ -49,6 +51,6 @@ If you have many pages of results, you have several options for navigation:
* Type a page number into the page number field and hit enter.
* For the **Messages** tab only, click into a block in the histogram to jump to the page containing the first message from that block. In the default sort order, the message is the most recent message from the block. In a reverse sort order, clicking into the histogram takes you to the page containing the oldest message from that block.
-
+})
In this example, the largest number of events occurred between 1:56 and 1:57 am. Clicking into the tallest histogram block takes us to the page where logs related to the event can be viewed. This is the page that contains the most recent message from this message block. The note in pink shows the range in time that corresponds to the page you're viewing.
diff --git a/docs/search/get-started-with-search/search-page/search-highlighting.md b/docs/search/get-started-with-search/search-page/search-highlighting.md
index 5ebf5dd1b4..87321feaee 100644
--- a/docs/search/get-started-with-search/search-page/search-highlighting.md
+++ b/docs/search/get-started-with-search/search-page/search-highlighting.md
@@ -4,7 +4,7 @@ title: Search Highlighting
description: When you perform a search, and results are returned, your search terms are highlighted in the Messages tab.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
When you perform a search, and results are returned, your search terms are highlighted in the **Messages** tab.
@@ -16,7 +16,7 @@ For example, using this query:
returns the following results in the **Messages** tab:
-
+})
Note that the search terms **Error** and **Exception** are highlighted in yellow.
diff --git a/docs/search/get-started-with-search/search-page/search-load-indicator.md b/docs/search/get-started-with-search/search-page/search-load-indicator.md
index ddce2da1ce..fb9dccc7d8 100644
--- a/docs/search/get-started-with-search/search-page/search-load-indicator.md
+++ b/docs/search/get-started-with-search/search-page/search-load-indicator.md
@@ -4,7 +4,7 @@ title: Search Load Indicator
description: The search load indicator gives you feedback on the amount of system load and provides suggestions on what you can do to reduce the load by making your query more specific.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
Searches vary considerably in the amount of load they place on the system. All of the following can affect the search load:
@@ -20,7 +20,7 @@ Look for the load indicator in the bar below the bar chart in the search result
* Medium (orange, two dots)
* High (red, three dots)
-
+})
Click the dotted icon to get more information:
diff --git a/docs/search/get-started-with-search/search-page/search-modes.md b/docs/search/get-started-with-search/search-page/search-modes.md
index 184a4dab8e..5d176b0b1a 100644
--- a/docs/search/get-started-with-search/search-page/search-modes.md
+++ b/docs/search/get-started-with-search/search-page/search-modes.md
@@ -4,6 +4,8 @@ title: Search Modes
description: Learn about the new search modes of our Log Search page.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Sumo Logic Log Search offers two search modes to build your searches, Advanced and Basic.
* **Basic Mode** gives you a structured query builder that writes a simple log query. This mode is designed for new users that are not familiar with Sumo Logic search features and query language. We recommend taking [Certification Courses](/docs/get-started/training-certification-faq) and reading the [Getting Started](/docs/get-started) content before moving to advanced mode.
@@ -16,7 +18,7 @@ For details on all other Log Search page features, see [How to use the search pa
When you open a Log Search you'll have the option to switch between Basic and Advanced Mode. The selected mode will persist to new searches.
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Logs > Log Search**. You can also click the **Go To...** menu at the top of the screen and select **Log Search**. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Go to the **Home** screen and select **Log Search**. -1. Click the three-dot kebab icon on the right of the Search page and select **Basic Mode** or **Advanced Mode** from the menu options.
 +1. Click the three-dot kebab icon on the right of the Search page and select **Basic Mode** or **Advanced Mode** from the menu options.
})
## Basic Mode
@@ -26,33 +28,22 @@ Search offers an easy-to-use, structured query builder to help you write and com
This section elaborates on the input options.
-
+})
* **Data Tier**. Select from the dropdown which Data Tier the query should run against, either Continuous, Frequent, or Infrequent. See [Searching Data Tiers](/docs/manage/partitions/data-tiers/searching-data-tiers) for further details.
:::note
**Data Tier** option is not available for the customer with Flex.
:::
- 
-
-* **Index**. Type in any [Partitions](/docs/manage/partitions) you want to run the query against. When you click in the text area a list of available options is provided. Click an option to automatically fill in the value in the text area. You can continue to add additional Partitions if desired.
-
- 
-
-* **Filters**. Type in any [fields](/docs/manage/fields) you want to run the query against. Once you select a field you need to select a value for it. When you click in the text area and begin typing an autocomplete list begins to offer suggestions. Click a suggestion to automatically fill in the value in the text area. You can continue to add additional fields if desired.
-
- 
-
- * **Not option**: Once you have entered a filter you'll see a gray **no symbol** or **prohibition sign** to the left of the filter.
-
- 
+ })
- Click it to enable the filter as a NOT boolean, where the filter acts as an exclusion instead of inclusion. When enabled, the filter gets a border, and the no symbol changes to the color coral.
+* **Index**. Type in any [Partitions](/docs/manage/partitions) you want to run the query against. When you click in the text area a list of available options is provided. Click an option to automatically fill in the value in the text area. You can continue to add additional Partitions if desired.})
+* **Filters**. Type in any [fields](/docs/manage/fields) you want to run the query against. Once you select a field you need to select a value for it. When you click in the text area and begin typing an autocomplete list begins to offer suggestions. Click a suggestion to automatically fill in the value in the text area. You can continue to add additional fields if desired.})
- 
+ * **Not option**: Once you have entered a filter you'll see a gray **no symbol** or **prohibition sign** to the left of the filter.})
-* **Keywords**. Type a [keyword search expression](../build-search/keyword-search-expressions.md) in the text area.
+ Click it to enable the filter as a NOT boolean, where the filter acts as an exclusion instead of inclusion. When enabled, the filter gets a border, and the no symbol changes to the color coral.})
- 
+* **Keywords**. Type a [keyword search expression](../build-search/keyword-search-expressions.md) in the text area.})
For details on all other Log Search page features, see [How to use the search page](/docs/search/get-started-with-search/search-page).
diff --git a/docs/search/get-started-with-search/search-page/set-messages-tab-preferences.md b/docs/search/get-started-with-search/search-page/set-messages-tab-preferences.md
index ff77fc2d04..9ef67a821d 100644
--- a/docs/search/get-started-with-search/search-page/set-messages-tab-preferences.md
+++ b/docs/search/get-started-with-search/search-page/set-messages-tab-preferences.md
@@ -12,13 +12,13 @@ You can change how messages are displayed on the **Messages** tab.
To set Messages tab preferences, do the following:
-1. In the **Messages** tab, click the Settings gear icon in the upper right. +1. In the **Messages** tab, click the Settings gear icon in the upper right.
})
1. Click **Display Message Preferences** to open the **Message Display Preferences** window.})
1. You have the following options:
* **Sort by.** You can order messages by most recent or oldest.
* **View n messages per page**. You can set the number of messages per page to a value between 15 and 500.
* **Expand each message.** You can increase the number of lines that are displayed for each message. By default, this option is set to 10.
- * **Show Metadata Fields.** When selected, metadata field names are displayed below each log message. + * **Show Metadata Fields.** When selected, metadata field names are displayed below each log message.
})
* **Show URI-decoded format.** By default, UTF characters in JSON are automatically decoded. Toggle this off if you want to intentionally include these when viewing JSON log messages in the UI.
* **Dictionary Term Highlighting.** When selected, the terms "error" and "exception" are displayed in red text.
* **Recent Messages First / Oldest Messages First.** By default, **Recent Messages First** is selected, but if you'd prefer to view oldest log messages at the top of the Messages pane, select **Oldest Messages First**.
diff --git a/docs/search/live-tail/about-live-tail.md b/docs/search/live-tail/about-live-tail.md
index 5bdb37ec41..a31542f4ed 100644
--- a/docs/search/live-tail/about-live-tail.md
+++ b/docs/search/live-tail/about-live-tail.md
@@ -4,6 +4,7 @@ title: About Live Tail
description: Sumo Logic Live Tail allows you to see a real-time live feed of log events for development and troubleshooting.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
Use Live Tail to see a real-time feed of log events associated with a Source or Collector. These live feeds can help you with development and troubleshooting.
@@ -27,7 +28,7 @@ Roles-Based Access Control permissions apply to all Live Tail queries.
The following image shows a Live Tail session for `_sourceCategory=Apache/Access`:
-
+})
Live Tail features include [multiple](multiple-live-tails.md) Live Tail sessions, opening your Live Tail session in a [new "pop-out" window](multiple-live-tails.md), [highlighting](live-tail-highlighting.md) up to eight keywords in order to make searching easier, and changing the [preferences](live-tail-preferences.md) of your Live Tail display, including line spacing, message text size, and message color.
@@ -68,10 +69,7 @@ The **Run** button changes to **Running**, and log messages fill the screen.
### On the Search page
1. On the **Search** page, in the search box, enter a valid query for a Source Category, Source Host, Source Name, Source, or Collector with filters, if desired. (Live Tail will take everything before the first pipe, but search operators are not supported.)
-1. Click the three-dot kebab icon and click **Live Tail** from the provided options.
-
- 
-
+1. Click the three-dot kebab icon and click **Live Tail** from the provided options.})
1. The **Live Tail** page opens, and the Live Tail session starts.
### Keyboard shortcut
diff --git a/docs/search/live-tail/filter-live-tail.md b/docs/search/live-tail/filter-live-tail.md
index 77b814b0f2..7d6919c3f6 100644
--- a/docs/search/live-tail/filter-live-tail.md
+++ b/docs/search/live-tail/filter-live-tail.md
@@ -4,6 +4,8 @@ title: Filter Live Tail
description: To find specific information, you can filter by keyword.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
To find specific logs, you can filter with keywords. You may use keywords after providing at least one metadata field to the Live Tail query and click Run or press Enter.
The search is rerun with the new keyword filter and added to incoming messages only. The screen clears, and new results automatically scroll.
@@ -35,7 +37,7 @@ In this example, we have started a Live Tail on the Source Host nite-index-1.
_sourceHost=nite-index-1
```
-
+})
Next, we added a Source Category filter to the query. Here we're looking for the Source Category called "search".
@@ -43,7 +45,7 @@ Next, we added a Source Category filter to the query. Here we're looking for th
_sourceHost=nite-index-1 _sourceCategory=search
```
-
+})
In this example, we will add some more keywords to the query, and a wildcard to a keyword.
@@ -51,7 +53,7 @@ In this example, we will add some more keywords to the query, and a wildcard to
_sourceHost=nite-index-1 (error or fail* or exception)
```
-
+})
In a different example, we're looking for a different Source Host, Source Category, and filtered for log messages that do not include the keyword "info". This way, we know we're getting all of our warnings and errors.
@@ -59,4 +61,4 @@ In a different example, we're looking for a different Source Host, Source Catego
_sourceHost=nite-cqsplitter-1 _sourceCategory=cqsplitter !info
```
-
+})
diff --git a/docs/search/live-tail/live-tail-cli.md b/docs/search/live-tail/live-tail-cli.md
index 2097de9624..0fba9a4404 100644
--- a/docs/search/live-tail/live-tail-cli.md
+++ b/docs/search/live-tail/live-tail-cli.md
@@ -4,6 +4,8 @@ title: Live Tail CLI
description: The Live Tail Command Line Interface (CLI) is a standalone application that allows you to start and use a Live Tail session from the command line.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The Live Tail Command Line Interface (CLI) is a standalone application that allows you to start and use a Live Tail session from the command line.
The Live Tail CLI supports the following operating systems:
@@ -33,7 +35,7 @@ The metadata field and filter must be enclosed in quotes.
1. Download your platform-specific binaries from [Releases](https://github.com/SumoLogic/livetail-cli/releases) to a location where you have read, write, and execute permissions.
1. In the command prompt, navigate to the directory where the files are saved.
1. Enter `./livetail -h`
-1. When you run livetail the first time you need to provide the [deployment](/docs/api/about-apis/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) of the account and [access ID/key](/docs/manage/security/access-keys.md) to authenticate. +1. When you run livetail the first time you need to provide the [deployment](/docs/api/about-apis/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) of the account and [access ID/key](/docs/manage/security/access-keys.md) to authenticate.
s
})
* A **config.json** file is created in the same directory as the livetail binary that stores this authentication information so you only need to enter your deployment, access ID, and access key once. But if you prefer to clear your access ID and access key and log in again each time, you can use the `-c` argument to clear them.
1. To start a Live Tail session with a filter, enter for example:
```bash
diff --git a/docs/search/live-tail/live-tail-highlighting.md b/docs/search/live-tail/live-tail-highlighting.md
index 7816df4618..ea476f6f8b 100644
--- a/docs/search/live-tail/live-tail-highlighting.md
+++ b/docs/search/live-tail/live-tail-highlighting.md
@@ -4,7 +4,7 @@ title: Live Tail Highlighting
description: Highlight keywords that appear in your running Live Tail.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
Your searches may lead you to focus on particular keywords in your log, and you can highlight these words in a running Live Tail session to make them more visible.
@@ -13,8 +13,8 @@ To highlight keywords in Live Tail:
1. Click the **A** button.
1. In the dialog that displays, enter a term to highlight. You can use single keywords or multi-term keywords separated by spaces.
-
+})
The different keywords are then highlighted using different colors so that they are easy to find on the screen. You can highlight up to eight keywords.
-
+})
\ No newline at end of file
diff --git a/docs/search/live-tail/live-tail-preferences.md b/docs/search/live-tail/live-tail-preferences.md
index 24477a069b..c09b1556a8 100644
--- a/docs/search/live-tail/live-tail-preferences.md
+++ b/docs/search/live-tail/live-tail-preferences.md
@@ -4,22 +4,13 @@ title: Live Tail Preferences
description: You can change the preferences for Live Tail line spacing, message text size, and message color.
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
Live Tail preferences allow you to change the appearance of line spacing, size of your message text, and your message color.
**To change Live Tail Preferences:**
-1. Select the Live Tail **details** icon (on the far right) and choose **Preferences** from the dropdown list.
-
- 
-
-1. From **Preferences**, change the **Line Spacing**, **Message Text**, or **Message Color**.
-
- 
-
-1. Optional: Toggle **Replace the following control characters** option to **ON**, to render /r and /n as new lines and /t as a tab.
-
- 
-
+1. Select the Live Tail **details** icon (on the far right) and choose **Preferences** from the dropdown list. })
+1. From **Preferences**, change the **Line Spacing**, **Message Text**, or **Message Color**.})
+1. Optional: Toggle **Replace the following control characters** option to **ON**, to render /r and /n as new lines and /t as a tab.})
1. Click **OK** to save the settings.
diff --git a/docs/search/live-tail/live-tail-show-in-search.md b/docs/search/live-tail/live-tail-show-in-search.md
index 13339f1c4c..dce42ad580 100644
--- a/docs/search/live-tail/live-tail-show-in-search.md
+++ b/docs/search/live-tail/live-tail-show-in-search.md
@@ -4,14 +4,12 @@ title: Show Live Tail in Search
description: Start a Live Tail session from the Search page or the Live Tail page.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
Just as you can start a Live Tail session from the Search page, you can also start a search from the Live Tail page.
Start a search from Live Tail:
1. On the **Live Tail** page, in the search box, enter a valid query with filters, if desired.
-1. From the menu, select **Show in Search**.
-
- 
-
+1. From the menu, select **Show in Search**.})
1. The **Search** page opens, and your search runs automatically.
diff --git a/docs/search/live-tail/multiple-live-tails.md b/docs/search/live-tail/multiple-live-tails.md
index 88be7d0da0..e7ae9d5728 100644
--- a/docs/search/live-tail/multiple-live-tails.md
+++ b/docs/search/live-tail/multiple-live-tails.md
@@ -4,14 +4,15 @@ title: Multiple Live Tails
description: You can run two Live Tail sessions at a time per browser tab.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
Sumo Logic Live Tail supports running two Live Tail sessions at a time per tab. You can start a second Live Tail session from the Live Tail page, or from the Search page.
## Split the Screen with a second Live Tail session
-1. From the **Live Tail** page, click the menu button consisting of three vertical dots and select **Split Screen**.  +1. From the **Live Tail** page, click the menu button consisting of three vertical dots and select **Split Screen**.
}){kind=icon}
1. A second pane opens on the **Live Tail** page.
-1. Enter a query and click **Run**. You can compare the two Live Tails side-by-side.  +1. Enter a query and click **Run**. You can compare the two Live Tails side-by-side.
})
## Start up to four Live Tail sessions
diff --git a/docs/search/lookup-tables/manage-update-lookup-tables.md b/docs/search/lookup-tables/manage-update-lookup-tables.md
index 1c70253be8..19e8f57198 100644
--- a/docs/search/lookup-tables/manage-update-lookup-tables.md
+++ b/docs/search/lookup-tables/manage-update-lookup-tables.md
@@ -39,7 +39,7 @@ For example: `username,IPAddress,region`
1. Go to your **Library**.
1. Mouse over the lookup table you want to view, and select **Edit** from the three-dot kebab menu.
-1. The edit page for the lookup table appears.  +1. The edit page for the lookup table appears.
})
1. Click **Merge Data**.
1. The **Merge Lookup Data** popup appears.})
1. Click **Upload**.
@@ -60,7 +60,7 @@ For a field that is configured to be boolean, make sure that the field value is
1. Go to your **Library**.
1. Mouse over the lookup table you want to view, and select **Edit** from the three-dot kebab menu.
-1. The edit page for the lookup table appears.  +1. The edit page for the lookup table appears.
1. Click **Replace Data**.
1. The **Replace All Lookup Data** popup appears. })
1. Click **Upload**.
@@ -75,7 +75,7 @@ Follow the steps below to delete all of the contents of a lookup table:
1. Go to your **Library**.
1. Mouse over the lookup table you want to delete, and select **Edit** from the three-dot kebab menu.
-1. The edit page for the lookup table appears.  +1. The edit page for the lookup table appears.
1. Click **Delete Data.**
1. You are prompted to confirm that you want to delete the contents of the lookup file. })
1. Enter `Delete`, and click **Delete**.
diff --git a/docs/search/optimize-search-partitions.md b/docs/search/optimize-search-partitions.md
index c674e5296a..96162e1c15 100644
--- a/docs/search/optimize-search-partitions.md
+++ b/docs/search/optimize-search-partitions.md
@@ -4,6 +4,8 @@ title: Optimize Your Search with Partitions
sidebar_label: Optimize Search with Partitions
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
## What is a Partition?
A partition stores your data in an index separate from the rest of your account's data so you can optimize searches, [manage variable retention](/docs/manage/partitions/manage-indexes-variable-retention), and specify certain [data to forward to S3 or GCS](/docs/manage/data-forwarding/forward-data-from-sumologic).
@@ -12,7 +14,7 @@ Partitions route your data to an index becoming a separate subset of data in you
This example shows a customer that created three additional Partitions to separate data by environment.
-
+})
Consider the following queries:
@@ -80,7 +82,7 @@ As an Admin, you create Partitions by specifying their routing expression. We re
The following example shows the routing expression for the three custom Partitions:
-
+})
Here are simple steps to [create a Partition](/docs/manage/partitions/data-tiers/create-edit-partition/) named Dev:
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Partitions**. You can also click the **Go To...** menu at the top of the screen and select **Partitions**. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Partitions**. @@ -94,8 +96,7 @@ Here are simple steps to [create a Partition](/docs/manage/partitions/data-tiers Once created, Partitions can be used by anyone in your account, helping you reduce the scope of your searches and improve the performance for all users. Query 2 above takes advantage of our newly created Partition to scan only 40% of the data. As noted above, Query 3 is also a good option, because Query Rewriting will produce the same results as Query 1. This might eliminate the need to edit all your queries once your Partitions are in place. - - +
})
## Best Practices when using Partitions
diff --git a/docs/search/search-query-language/group-aggregate-operators/avg.md b/docs/search/search-query-language/group-aggregate-operators/avg.md
index ed1cf58b66..46d5bbe7cc 100644
--- a/docs/search/search-query-language/group-aggregate-operators/avg.md
+++ b/docs/search/search-query-language/group-aggregate-operators/avg.md
@@ -4,6 +4,8 @@ title: avg Grouping Operator
sidebar_label: avg
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The averaging function (`avg`) calculates the average value of the numerical field being evaluated within the time range analyzed.
## Syntax
@@ -32,7 +34,7 @@ An example snippet from a log would like this: `time taken: 21 ms,` where the va
The average operator would calculate against all parsed values and return the average, which would be returned in the **Aggregates** tab as a number, such as 50.
-
+})
### Use Aggregate in Query
diff --git a/docs/search/search-query-language/group-aggregate-operators/first-last.md b/docs/search/search-query-language/group-aggregate-operators/first-last.md
index c54cdb5807..9fc1ce7710 100644
--- a/docs/search/search-query-language/group-aggregate-operators/first-last.md
+++ b/docs/search/search-query-language/group-aggregate-operators/first-last.md
@@ -4,12 +4,13 @@ title: first, last Grouping Operators
sidebar_label: first, last
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
The `first` and `last` operators return the first or last result relative to the sort order. By default, searches return results in descending chronological order (most recent descending to oldest).
For example, the following image shows a few results in the default sort order. The `#` column starts at one, and the `Time` values start with the most recent.
-
+})
* The `first` result is indicated with the `#` value of 1. This `first` result has the most recent `Time`.
* The `last` result is indicated with the `#` value of 5. This `last` result has the oldest `Time`.
diff --git a/docs/search/search-query-language/group-aggregate-operators/median.md b/docs/search/search-query-language/group-aggregate-operators/median.md
index db737d96fa..2384d9c401 100644
--- a/docs/search/search-query-language/group-aggregate-operators/median.md
+++ b/docs/search/search-query-language/group-aggregate-operators/median.md
@@ -4,6 +4,8 @@ title: median Grouping Operator
sidebar_label: median
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
In order to calculate the median value for a particular field, you can utilize the [`pct` (percentile) operator](/docs/search/search-query-language/group-aggregate-operators/pct-percentile) with a percentile argument of 50.
## Syntax
@@ -34,4 +36,4 @@ To calculate the median value of a field called `"Len: *"` as seconds, and then
Which would return results similar to:
-
+})
diff --git a/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent.md b/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent.md
index 7c3fa99b37..793eeb8396 100644
--- a/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent.md
+++ b/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent.md
@@ -4,6 +4,8 @@ title: most_recent, least_recent Grouping Operators
sidebar_label: most_recent, least_recent
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `most_recent` and `least_recent` operators, used with the `withtime` operator, are aggregate operators that allow you to select the most recent or least recent value within a group.
The `withtime` operator is given a field and creates a JSON object with the field's value and its timestamp in milliseconds. A field is created with the format `x_withtime` that appears as part of your search results. Then the `most_recent` and `least_recent` operators are used to order your data referencing the `x_withtime` field.
@@ -43,4 +45,4 @@ Say we would like to keep an eye on visitors that hit our site from different co
produces results like:
-
+})
diff --git a/docs/search/search-query-language/group-aggregate-operators/stddev.md b/docs/search/search-query-language/group-aggregate-operators/stddev.md
index ba38b70786..e79abfd4d9 100644
--- a/docs/search/search-query-language/group-aggregate-operators/stddev.md
+++ b/docs/search/search-query-language/group-aggregate-operators/stddev.md
@@ -4,6 +4,8 @@ title: stddev Grouping Operator
sidebar_label: stddev
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Finds the standard deviation value for a distribution of numerical values within the time range analyzed and associated with a group designated by the "group by" field.
## Syntax
@@ -27,7 +29,7 @@ _source=CollectD
| min(delt), max(delt), avg(delt), stddev(delt), count(*) by _collector, _sourceName
```
-
+})
When you calculate the standard deviation of more than one field, you must create an alias using the [`as` operator](/docs/search/search-query-language/search-operators/as) to rename the `stddev` fields. See this example:
diff --git a/docs/search/search-query-language/group-aggregate-operators/values.md b/docs/search/search-query-language/group-aggregate-operators/values.md
index d3a1194c4e..dd43607ee2 100644
--- a/docs/search/search-query-language/group-aggregate-operators/values.md
+++ b/docs/search/search-query-language/group-aggregate-operators/values.md
@@ -4,6 +4,7 @@ title: values Grouping Operator
sidebar_label: values
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
The `values` operator provides all the distinct values of a field. This allows you to quickly identify and understand all the values a field has in your data. Additionally, you have the option to group by other fields of interest.
@@ -24,7 +25,8 @@ The response field separates each value with a new line character and places
This is an example of a response field with IP addresses:
-
+})
### Limitation
diff --git a/docs/search/search-query-language/parse-operators/parse-csv-formatted-logs.md b/docs/search/search-query-language/parse-operators/parse-csv-formatted-logs.md
index 3c49e63ff3..30b9785667 100644
--- a/docs/search/search-query-language/parse-operators/parse-csv-formatted-logs.md
+++ b/docs/search/search-query-language/parse-operators/parse-csv-formatted-logs.md
@@ -3,7 +3,7 @@ id: parse-csv-formatted-logs
title: Parse CSV Formatted Logs
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
The **CSV** operator allows you to parse CSV (Comma Separated Values) formatted log entries. It uses a comma as the default delimiter.
@@ -48,7 +48,7 @@ _sourceCategory=csv
which provides results like:
-
+})
### Parse a stream query and extract search terms
@@ -60,6 +60,6 @@ which provides results like:
This produces results like:
-
+})
For more information on parsing CSV files, see [Lookup](/docs/search/search-query-language/search-operators/lookup-classic) operator and [Save](/docs/search/search-query-language/search-operators/save-classic) operator.
diff --git a/docs/search/search-query-language/parse-operators/parse-delimited-logs-using-split.md b/docs/search/search-query-language/parse-operators/parse-delimited-logs-using-split.md
index 8f312b9b53..5fe156eff7 100644
--- a/docs/search/search-query-language/parse-operators/parse-delimited-logs-using-split.md
+++ b/docs/search/search-query-language/parse-operators/parse-delimited-logs-using-split.md
@@ -3,6 +3,8 @@ id: parse-delimited-logs-using-split
title: Parse Delimited Logs Using Split
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The **`split`** operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats.
To parse log entries from CSV files, you can use the simpler [CSV operator](parse-csv-formatted-logs.md).
@@ -54,7 +56,7 @@ _sourceCategory=colon
which produces results such as:
-
+})
In another example, you'd use the following query:
@@ -65,7 +67,7 @@ _sourceCategory=colon
which provides results like:
-
+})
### Parsing a CSV file
@@ -78,7 +80,7 @@ _sourceCategory=csv
which produces results such as:
-
+})
### Parsing a tab delimited file
@@ -93,7 +95,7 @@ _sourceCategory=sumo/zscaler
which produces this result:
-
+})
Alternatively, you can use the parse operator to extract fields from a tab delimited log file. The following query produces the same result as the previous query.
diff --git a/docs/search/search-query-language/parse-operators/parse-json-formatted-logs.md b/docs/search/search-query-language/parse-operators/parse-json-formatted-logs.md
index d995786efe..99e9dec8eb 100644
--- a/docs/search/search-query-language/parse-operators/parse-json-formatted-logs.md
+++ b/docs/search/search-query-language/parse-operators/parse-json-formatted-logs.md
@@ -99,7 +99,7 @@ _index=audit_events
produces results like:
-
+})
## Extracting multiple fields
@@ -113,7 +113,7 @@ _index=audit_events
produces these results:
-
+})
In addition, you can assign names to fields that differ from their original key names. To use `aID` instead of `accountId` and `eName` instead of `eventName`, you'd use the `as` option like this:
@@ -123,7 +123,7 @@ _index=sumologic_audit_events | json "accountId", "eventName" as aID, eName | fi
which gives you these results:
-
+})
## Extracting a nested key
@@ -149,7 +149,7 @@ It returns a list of the values in the array: `["2014-03-10T23:...", ""2014-03-1
like this:
-
+})
To refer to one specific entry in the array, provide the array's index:
@@ -166,7 +166,7 @@ _sourceCategory=O365* | json "Actor[0].Type" as Actortype0 | json "Actor[1].Type
The result of the query would look like this:
-
+})
## Using the nodrop option
@@ -180,14 +180,14 @@ By default, the JSON operator optimizes results by dropping messages that do not
You can use wildcard (\*) to access the array elements in a JSON. For example, you can access Actor Type from an O365 JSON message using wildcard.
-
+})
`_sourceCategory=O365*
| json "Actor[*].Type" as Actortype`
The result of the query would look like this:
-
+})
Next, if required, you can use the array elements to perform additional operations. For example, you can find the max of Type for a CreationTime and Id using this query:
@@ -201,7 +201,7 @@ _sourceCategory=O365*
The result would look like this:
-
+})
## JSON auto option
@@ -382,10 +382,7 @@ With the **extractarrays** option, **json auto** yields these field-value pa
Sumo Logic can generate the parse expression for a specific JSON key for you. The option is available when viewing your JSON logs in the **Messages** tab of your Search.
1. Right-click the key you want to parse and a menu will appear.
-1. Click **Parse selected key**.
-
- 
-
+1. Click **Parse selected key**.})
1. In the query text box, where ever your cursor was last placed, a new parse JSON operation is added that will parse the selected key. For example, `| json field=_raw "_BOOT_ID"`.
## Search warning
@@ -394,7 +391,7 @@ Sumo Logic can generate the parse expression for a specific JSON key for you. Th
By default the JSON operator optimizes results by dropping messages that do not have the fields or keys specified in your query or if the JSON is invalid. When a message is dropped the user interface provides a warning message:
-
+})
This is only a warning message to inform you that at least one log returned in the scope of the query did not have a specified key.
diff --git a/docs/search/search-query-language/parse-operators/parse-keyvalue-formatted-logs.md b/docs/search/search-query-language/parse-operators/parse-keyvalue-formatted-logs.md
index 3cb0053ad9..9f20eb3554 100644
--- a/docs/search/search-query-language/parse-operators/parse-keyvalue-formatted-logs.md
+++ b/docs/search/search-query-language/parse-operators/parse-keyvalue-formatted-logs.md
@@ -3,12 +3,13 @@ id: parse-keyvalue-formatted-logs
title: Parse Keyvalue Formatted Logs
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
Typically, log files contain information that follow a key-value pair structure. The keyvalue operator allows you to get values from a log message by specifying the key paired with each value.
For example, a log could contain the following keys (highlighted):
-
+})
From that log message, you can use the **keyvalue** operator to get the values for one or more keys. For example, if you'd like to see information just about the "remote_ip" value, running this query:
@@ -16,7 +17,7 @@ From that log message, you can use the **keyvalue** operator to get the values
would produce these results:
-
+})
The keyvalue operator can also be used in two explicit modes:
@@ -37,7 +38,7 @@ For example, you'd extract the keys "module" and "thread" and their values from
to produce these results:
-
+})
## Regular Expression mode syntax
diff --git a/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor.md b/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor.md
index a94e40a5e4..47f5df5636 100644
--- a/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor.md
+++ b/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor.md
@@ -3,7 +3,7 @@ id: parse-predictable-patterns-using-an-anchor
title: Parse Predictable Patterns Using an Anchor
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions.
@@ -37,33 +37,14 @@ You can use the parse anchor UI tool to highlight the message text to parse, id
1. Run a search.
1. In the search results, find a message with the text you want to parse.
-1. Highlight the text, right-click, and select **Parse the selected text**.
-
- 
-
- The **Parse Text** dialog box opens and displays the text you highlighted.
-
- 
-
-1. Select the text for the first parsing field, and click **Click to extract this value**. The text you highlighted is replaced by an asterisk (\*).
-
- 
-
-1. Enter a name (no spaces) for the parsing field in the **Fields** area.
-
- 
-
-1. If you want to parse additional fields, add a comma after the field name, and repeat the parsing action. The following screenshot shows three parsed fields: **method**, **ip**, and **port** (in that order). Notice that the three fields correspond to the three asterisks in the parse text.
-
- 
-
-1. Click **Submit**. The query is updated with the parse operation you constructed.
-
- 
-
-1. Click **Start** to display the search results, which now show the parsed message.
-
- 
+1. Highlight the text, right-click, and select **Parse the selected text**.})
+
+ The **Parse Text** dialog box opens and displays the text you highlighted.})
+1. Select the text for the first parsing field, and click **Click to extract this value**. The text you highlighted is replaced by an asterisk (\*). })
+1. Enter a name (no spaces) for the parsing field in the **Fields** area. })
+1. If you want to parse additional fields, add a comma after the field name, and repeat the parsing action. The following screenshot shows three parsed fields: **method**, **ip**, and **port** (in that order). Notice that the three fields correspond to the three asterisks in the parse text.})
+1. Click **Submit**. The query is updated with the parse operation you constructed.})
+1. Click **Start** to display the search results, which now show the parsed message.})
## Examples
diff --git a/docs/search/search-query-language/parse-operators/parse-variable-patterns-using-regex.md b/docs/search/search-query-language/parse-operators/parse-variable-patterns-using-regex.md
index 0d0f6345b3..44a5235a96 100644
--- a/docs/search/search-query-language/parse-operators/parse-variable-patterns-using-regex.md
+++ b/docs/search/search-query-language/parse-operators/parse-variable-patterns-using-regex.md
@@ -4,6 +4,8 @@ title: Parse Variable Patterns Using Regex
description: The Parse Regex operator enables you to extract nested fields and other complex data from log lines.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The Parse Regex operator (also called the `extract` operator) enables users comfortable with regular expression syntax to extract more complex data from log lines. Parse regex can be used, for example, to extract nested fields.
User added fields, such as extracted or parsed fields, can be named using alphanumeric characters as well as underscores (`_`). They must start and end with an alphanumeric character.
@@ -132,7 +134,7 @@ _sourceCategory=aws/vpc
The output looks like:
-
+})
### Case insensitive parse regex
diff --git a/docs/search/search-query-language/parse-operators/parsehex.md b/docs/search/search-query-language/parse-operators/parsehex.md
index fbf7296a15..e023f3aff0 100644
--- a/docs/search/search-query-language/parse-operators/parsehex.md
+++ b/docs/search/search-query-language/parse-operators/parsehex.md
@@ -3,6 +3,8 @@ id: parsehex
title: parseHex
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The parseHex operator allows you to convert a hexadecimal string of 16 or fewer characters to a number.
@@ -27,4 +29,4 @@ The following query will convert a hexadecimal string to a decimal number.
It provides the following results:
-
+})
diff --git a/docs/search/search-query-language/search-operators/accum.md b/docs/search/search-query-language/search-operators/accum.md
index 758a4d6644..891f99524e 100644
--- a/docs/search/search-query-language/search-operators/accum.md
+++ b/docs/search/search-query-language/search-operators/accum.md
@@ -4,6 +4,8 @@ title: accum Search Operator
sidebar_label: accum
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `accum` operator calculates the cumulative sum of a field. It can be used to find a count by a specific time interval and can be used to find a total running count across all intervals.
## Syntax
@@ -36,7 +38,7 @@ _sourceCategory=IIS/Access (Wyatt OR Luke)
produces results of a running total of all requests, similar to:
-
+})
### Running total by user name
@@ -54,4 +56,4 @@ _sourceCategory=IIS/Access (Wyatt OR Luke)
produces results of a running total for each user's requests, similar to:
-
+})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/as.md b/docs/search/search-query-language/search-operators/as.md
index 8ba8f0d404..52c1bbba3a 100644
--- a/docs/search/search-query-language/search-operators/as.md
+++ b/docs/search/search-query-language/search-operators/as.md
@@ -4,6 +4,8 @@ title: as Search Operator
sidebar_label: as
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `as` operator is typically used in conjunction with other operators, but it can also be used alone to rename fields or to create new constant fields.
## Syntax
@@ -43,7 +45,7 @@ _sourceCategory=Apache/Access
Would provide results like:
-
+})
### Create a New Constant Field
@@ -56,7 +58,7 @@ _sourceCategory=Apache/Access
This statement “hardcodes" the value of `127.10.10.1` to the variable `src_ip`, for all the messages returned, as shown:
-
+})
In this example, you will create a new field (`test_src_ip`) and seed it with a constant (`127.10.10.1`):
@@ -68,7 +70,7 @@ _sourceCategory=Apache/Access
Which provides the following results:
-
+})
### Use As in Conjunction with Other Operators
@@ -84,7 +86,7 @@ _sourceCategory=Apache/Access
Which provides the following results:
-
+})
In this next example, you will use `as` after a parse, to name the variable in the pattern `"\* - - "` as `src_ip`:
diff --git a/docs/search/search-query-language/search-operators/backshift.md b/docs/search/search-query-language/search-operators/backshift.md
index 95c3607f01..d1673f206d 100644
--- a/docs/search/search-query-language/search-operators/backshift.md
+++ b/docs/search/search-query-language/search-operators/backshift.md
@@ -4,6 +4,8 @@ title: backshift Search Operator
sidebar_label: backshift
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `backshift` operator helps you compare values as they change over time. It simply shifts the data points it is given and returns them in your results in a new field.
The backshift operator can be used with [rollingstd](/docs/search/search-query-language/search-operators/rollingstd), [smooth](/docs/search/search-query-language/search-operators/smooth), or any other operators whose results could be affected by spikes of data (where a spike could possibly throw off future results).
@@ -40,8 +42,8 @@ _sourceCategory=Labs/Apache/Access
produces results like:
-
+})
Then you can visualize the results as an area chart.
-
+})
diff --git a/docs/search/search-query-language/search-operators/bin.md b/docs/search/search-query-language/search-operators/bin.md
index 25e86c3782..151389e714 100644
--- a/docs/search/search-query-language/search-operators/bin.md
+++ b/docs/search/search-query-language/search-operators/bin.md
@@ -4,6 +4,8 @@ title: bin Search Operator
sidebar_label: bin
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `bin` operator assigns output results to user defined bins. A bin is configured to hold a range of values that can be used for sorting results in a histogram and further aggregation. It is a quick and effective way to visualize the distribution of data.
## Syntax
@@ -45,7 +47,7 @@ _sourceCategory=stream error
| sort by _bin_lower
```
-
+})
### Latency distribution
@@ -68,4 +70,4 @@ _sourceCategory=analytics
| sort by _bin_upper
```
-
+})
diff --git a/docs/search/search-query-language/search-operators/compare.md b/docs/search/search-query-language/search-operators/compare.md
index 2e817c255a..13feeffda3 100644
--- a/docs/search/search-query-language/search-operators/compare.md
+++ b/docs/search/search-query-language/search-operators/compare.md
@@ -4,6 +4,8 @@ title: compare Search Operator
sidebar_label: compare
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `compare` operator can be used with the [**Time Compare**](/docs/search/time-compare) button in the Sumo interface, which automatically generates the appropriate syntax and adds it to your aggregate query. The following information can also be found documented in Time Compare.
You can use `compare` to:
@@ -41,7 +43,7 @@ The following query returns data from the present, along with results from yeste
This comparison can be displayed visually as:
-
+})
In another example, this query returns data from the present along with results from last week.
@@ -65,7 +67,7 @@ The following query returns results from the present, along with results from ev
Which can be displayed visually as:
-
+})
The following query returns result from the present with results from the same day in the last 3 weeks. So if today is Monday, then this query will show a result for today and the last three Mondays.
@@ -89,7 +91,7 @@ The following query returns results from the present along with the average of t
Which can be displayed visually as:
-
+})
Other examples:
@@ -167,11 +169,11 @@ error
The query returns results from both today and two days ago, with each day in its separate column. Today's results are represented by `_count`.
-
+})
Create a line chart to visualize the results.
-
+})
Using the multiple comparison feature, you can compare the number of logs against every ten minutes of the past hour:
@@ -184,11 +186,11 @@ _sourceHost = prod
Each ten-minute period produces its own column in the output table:
-
+})
Create a line chart to visualize the results.
-
+})
Alternatively, you can compare against the average of all the ten minute periods:
@@ -199,11 +201,11 @@ _sourceHost = prod
| compare timeshift 10m 5 avg
```
-
+})
Create a line chart to visualize the results.
-
+})
### Compare categorical data parsed from logs
@@ -218,11 +220,11 @@ Use compare to analyze the change in delays on different `_sourceHost`s using pa
This example computes the average delay per `_sourceHost`, and compares with results from 30 minutes ago.
-
+})
These results would create a line chart such as the following.
-
+})
### Compare after a Transpose operation
diff --git a/docs/search/search-query-language/search-operators/dedup.md b/docs/search/search-query-language/search-operators/dedup.md
index 352e90ab91..a624fbbf5f 100644
--- a/docs/search/search-query-language/search-operators/dedup.md
+++ b/docs/search/search-query-language/search-operators/dedup.md
@@ -4,6 +4,8 @@ title: dedup Search Operator
sidebar_label: dedup
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `dedup` operator removes duplicate results. You have the option to remove consecutively and by specific fields. This allows you to filter your results to identify the most recent or last few events based on an identical combination of results.
For example, to find the most recent value of services you'd use the following operation: `| dedup 1 by service`.
@@ -82,7 +84,7 @@ The following examples use this sample data.
Returns the most recent record for each country:
-
+})
### Keep the first 3 duplicate results
@@ -94,7 +96,7 @@ For search results that have the same country value, keep the first three that o
Returns the following results:
-
+})
### Keep results with same combination of values in multiple fields
@@ -106,7 +108,7 @@ For search results that have the same country AND continent values, keep the fir
Returns the following results:
-
+})
### Remove only consecutive duplicate events
@@ -118,4 +120,4 @@ Remove only consecutive duplicate events. Keep non-consecutive duplicate events.
Returns the following results:
-
+})
diff --git a/docs/search/search-query-language/search-operators/diff.md b/docs/search/search-query-language/search-operators/diff.md
index 45f91d0dd4..70cea28c6a 100644
--- a/docs/search/search-query-language/search-operators/diff.md
+++ b/docs/search/search-query-language/search-operators/diff.md
@@ -4,6 +4,8 @@ title: diff Search Operator
sidebar_label: diff
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `diff` operator calculates the rate of change in a field between consecutive rows. To produce results, `diff` requires that a specified field contain numeric data; any non-numerical values are removed from the search results.
Diff does not sort data but instead operates on rows in the order that they appear in the input stream, subtracting the number in a field from the number in the same field in the previous line.
@@ -42,7 +44,7 @@ Using `diff` with `timeslice`, you can run a query similar to:
to produce results similar to:
-
+})
Note that there is no value for diff_bytes in line 1, as expected.
diff --git a/docs/search/search-query-language/search-operators/fields.md b/docs/search/search-query-language/search-operators/fields.md
index aacb5af740..034ae1418a 100644
--- a/docs/search/search-query-language/search-operators/fields.md
+++ b/docs/search/search-query-language/search-operators/fields.md
@@ -4,6 +4,8 @@ title: fields Search Operator
sidebar_label: fields
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `fields` operator allows you to specify which fields to display and their order in the results of a query. Use a fields operator to reduce the "clutter" of a search output that contains fields that aren't completely relevant to your query.
There are two fields operator modes:
@@ -30,7 +32,7 @@ _sourceCategory=Apache/Access
The search results would look like this:
-
+})
Allowlist queries allow all system internal fields (fields prefixed with an underscore "_") to pass.
@@ -72,7 +74,7 @@ _sourceCategory=Apache/Access
The search results would look like this:
-
+})
While the same query with an added *count by* statement to make it an aggregate query:
@@ -86,7 +88,7 @@ _sourceCategory=Apache/Access
This would provide the following results:
-
+})
## Use a Field Name that Contains Spaces or Special Characters
diff --git a/docs/search/search-query-language/search-operators/fillmissing.md b/docs/search/search-query-language/search-operators/fillmissing.md
index f2644e0b5d..e6f52a86f8 100644
--- a/docs/search/search-query-language/search-operators/fillmissing.md
+++ b/docs/search/search-query-language/search-operators/fillmissing.md
@@ -4,6 +4,8 @@ title: fillmissing Search Operator
sidebar_label: fillmissing
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
@@ -123,7 +125,7 @@ login
| sort by _timeslice
```
-
+})
})
})
})
})
### Multiple generators and transpose
@@ -219,7 +221,7 @@ login
| transpose row _timeslice column type
```
-
+})
})
})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/format.md b/docs/search/search-query-language/search-operators/format.md
index c384c7f574..8f6861d760 100644
--- a/docs/search/search-query-language/search-operators/format.md
+++ b/docs/search/search-query-language/search-operators/format.md
@@ -4,6 +4,8 @@ title: format Search Operator
sidebar_label: format
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `format` operator allows you to format and combine data from parsed fields. Numbers, strings, and dates can be formatted into a user-defined string. This allows data in logs, such as dates or currency amounts, to be formatted as human readable, when otherwise it would be hard to decipher.
The [`concat`](concat.md) operator is a simpler version of the Format operator, and may be used instead for simpler use cases.
@@ -40,7 +42,7 @@ error
which results in:
-
+})
### Format numbers
diff --git a/docs/search/search-query-language/search-operators/formatdate.md b/docs/search/search-query-language/search-operators/formatdate.md
index ad36b3f22b..ceadf35768 100644
--- a/docs/search/search-query-language/search-operators/formatdate.md
+++ b/docs/search/search-query-language/search-operators/formatdate.md
@@ -4,6 +4,8 @@ title: formatDate Search Operator
sidebar_label: formatDate
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `formatDate` operator allows you to format dates in log files as a string in the format you require, such as U.S. date formatting, European formatting, and timestamps.
:::note
@@ -42,7 +44,7 @@ Use the following query to return results for the current date using the date fo
This creates the today column, and returns the following results.
-
+})
### European date format dd-MM-yyyy
@@ -54,7 +56,7 @@ Use the following query to create a **today** column, and return the results u
This returns the following results:
-
+})
### US date format with a timestamp
@@ -66,7 +68,7 @@ This example creates a **today** column and uses the US date format with a tim
Which returns results like:
-
+})
### Find messages with incorrect timestamps
@@ -81,7 +83,7 @@ This query allows you to find messages with incorrect timestamps.
This query produces results like this:
-
+})
### Determine age of log messages
@@ -97,7 +99,7 @@ This query lets you determine the age of your log messages.
Which produces results like this:
-
+})
### Messages by Day of the Week
diff --git a/docs/search/search-query-language/search-operators/geo-lookup-map.md b/docs/search/search-query-language/search-operators/geo-lookup-map.md
index 5438dad69a..f8d4a9b309 100644
--- a/docs/search/search-query-language/search-operators/geo-lookup-map.md
+++ b/docs/search/search-query-language/search-operators/geo-lookup-map.md
@@ -4,6 +4,8 @@ title: Geo Lookup (Map) Search Operator
sidebar_label: Geo Lookup (Map)
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Sumo Logic can match a [parsed](/docs/search/search-query-language/parse-operators) IPv4 or IPv6 address to its geographical location on a map. To create the map the lookup operator matches parsed IP addresses to their physical location based on the latitude and longitude of where the addresses originated. The precision for latitude and longitude degrees is up to five decimal places.
Any IP addresses that do not have a location, such as internal addresses, will return null values.
@@ -76,26 +78,18 @@ Using logs that match the example log format, running a query like this:
would produce the following results:
-
+})
### View map of Geo Lookup results
Enter a query that parses the IP field from your logs, a **lookup** operator to match IP addresses to a lookup table, and then the geolocation fields you’d like to use to chart each IP address.
-1. By default, results display as a table:
-
- 
-
-1. Click the **Map** icon in the **Aggregates** tab. The map displays:
-
- 
-
+1. By default, results display as a table:})
+1. Click the **Map** icon in the **Aggregates** tab. The map displays:}){kind=icon}
1. Do any of the following:
* Use the zoom slider to zoom in or out on an area of the map. Alternately, click and drag to zoom in or see different areas of a map.
- * Click any marker on the map to see more detail about where IPs originate in a specific area:
-
- 
+ * Click any marker on the map to see more detail about where IPs originate in a specific area:})
1. (Optional) Click **Add to Dashboard** to create a new Dashboard or add the map to an existing Dashboard. After adding a map to a Dashboard you will still be able to zoom in and drill down on the data.
@@ -113,4 +107,4 @@ For example, running a query like:
returns results similar to:
-
+})
diff --git a/docs/search/search-query-language/search-operators/geoip.md b/docs/search/search-query-language/search-operators/geoip.md
index d697a5fc15..8bfc987122 100644
--- a/docs/search/search-query-language/search-operators/geoip.md
+++ b/docs/search/search-query-language/search-operators/geoip.md
@@ -78,26 +78,19 @@ Using logs that match the example log format, running a query like this:
would produce the following results:
-
+
### View map of geoip results
Enter a query that parses the IP field from your logs, a **geoip** operator to match IP addresses and return geolocation fields you’d like to use to chart each IP address.
-1. By default, results display as a table:
-
- 
-
-1. Click the **Map** icon in the **Aggregates** tab. The map displays:
-
- 
+1. By default, results display as a table:
+1. Click the **Map** icon in the **Aggregates** tab. The map displays:
1. Do any of the following:
* Use the zoom slider to zoom in or out on an area of the map. Alternately, click and drag to zoom in or see different areas of a map.
- * Click any marker on the map to see more detail about where IPs originate in a specific area:
-
- 
+ * Click any marker on the map to see more detail about where IPs originate in a specific area:
1. (Optional) Click **Add to Dashboard** to create a new Dashboard or add the map to an existing Dashboard. After adding a map to a Dashboard you will still be able to zoom in and drill down on the data.
@@ -125,4 +118,4 @@ For example, running a query like:
returns results similar to:
-
+
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/hash.md b/docs/search/search-query-language/search-operators/hash.md
index 8cd5f36155..ba6d86b6ee 100644
--- a/docs/search/search-query-language/search-operators/hash.md
+++ b/docs/search/search-query-language/search-operators/hash.md
@@ -4,6 +4,8 @@ title: hash Search Operator
sidebar_label: hash
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `hash` operator uses a cryptographic hash algorithm to obscure data into a random string value. The operator supports MD5, SHA1, SHA2, and MurmurHash3 algorithms. The default is MD5 if no algorithm is specified.
This is helpful when working with sensitive data such as email addresses, usernames, credit cards, and social security numbers. Each unique value will have a unique hash code allowing you to maintain anonymity.
@@ -62,4 +64,4 @@ Create a unique identifier for each log message by concatenating the built-in me
| hash(concat(_messagetime, _messageid), "sha1") as guid
```
-
+})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/in.md b/docs/search/search-query-language/search-operators/in.md
index a422e6018a..c5707493dd 100644
--- a/docs/search/search-query-language/search-operators/in.md
+++ b/docs/search/search-query-language/search-operators/in.md
@@ -4,6 +4,8 @@ title: in Search Operator
sidebar_label: in
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `in` operator returns a Boolean value: true if the specified property is in the specified object, or false if it is not.
## Syntax
@@ -30,4 +32,4 @@ _sourceCategory=Apache/Access
would return results similar to:
-
+})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/ipv4tonumber.md b/docs/search/search-query-language/search-operators/ipv4tonumber.md
index 6bb298f0e6..aeeaf0c52c 100644
--- a/docs/search/search-query-language/search-operators/ipv4tonumber.md
+++ b/docs/search/search-query-language/search-operators/ipv4tonumber.md
@@ -4,6 +4,8 @@ title: ipv4ToNumber Search Operator
sidebar_label: ipv4ToNumber
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `ipv4ToNumber` operator allows you to convert an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format. This decimal format makes it easier to compare one IP address to another, rather than relying on IP masking.
:::tip
@@ -35,7 +37,7 @@ _sourceCategory=service remote_ip
would produce results like:
-
+})
### Detect the IP range for a single user
@@ -54,4 +56,4 @@ _sourceCategory=service remote_ip
would produce results like:
-
+})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/isnull-isempty-isblank.md b/docs/search/search-query-language/search-operators/isnull-isempty-isblank.md
index 9a51115749..d1e94cf5bb 100644
--- a/docs/search/search-query-language/search-operators/isnull-isempty-isblank.md
+++ b/docs/search/search-query-language/search-operators/isnull-isempty-isblank.md
@@ -4,6 +4,8 @@ title: isNull, isEmpty, isBlank Search Operators
sidebar_label: isNull, isEmpty, isBlank
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
* The `isNull` operator checks a string and returns a boolean value: true if the string is null, or false if the string is not null.
* The `isEmpty` operator checks if a string contains no characters and is only whitespace.
* The `isBlank` operator checks if a string contains no characters, is only whitespace, and is null.
@@ -71,7 +73,7 @@ Running a query like:
uses the `isNull` operator to check the field value of `country_code` and if it returns `true`, has the [`if` operator](/docs/search/search-query-language/search-operators/if) replace the value with the string `unknown`:
-
+
### Use the where operator to check for null values
diff --git a/docs/search/search-query-language/search-operators/isprivateip.md b/docs/search/search-query-language/search-operators/isprivateip.md
index a633f4663e..31b93eea2e 100644
--- a/docs/search/search-query-language/search-operators/isprivateip.md
+++ b/docs/search/search-query-language/search-operators/isprivateip.md
@@ -4,6 +4,8 @@ title: isPrivateIP Search Operator
sidebar_label: isPrivateIP
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `isPrivateIP` operator checks if an IPv4 address is private and returns a boolean.
## Syntax
@@ -23,8 +25,8 @@ isPrivateIP(})
## Examples
diff --git a/docs/search/search-query-language/search-operators/ispublicip.md b/docs/search/search-query-language/search-operators/ispublicip.md
index b000bf4950..40c0922462 100644
--- a/docs/search/search-query-language/search-operators/ispublicip.md
+++ b/docs/search/search-query-language/search-operators/ispublicip.md
@@ -4,6 +4,8 @@ title: isPublicIP Search Operator
sidebar_label: isPublicIP
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `isPublicIP` operator checks if an IPv4 address is public and returns a boolean.
## Syntax
@@ -22,8 +24,8 @@ isPublicIP(
## Examples
diff --git a/docs/search/search-query-language/search-operators/isreservedip.md b/docs/search/search-query-language/search-operators/isreservedip.md
index 8c4988de5f..40b13e3738 100644
--- a/docs/search/search-query-language/search-operators/isreservedip.md
+++ b/docs/search/search-query-language/search-operators/isreservedip.md
@@ -4,6 +4,8 @@ title: isReservedIP Search Operator
sidebar_label: isReservedIP
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `isReservedIP` operator checks if an IPv4 address is reserved as defined by [RFC 5735](https://tools.ietf.org/html/rfc5735) and returns a boolean.
## Syntax
@@ -21,8 +23,8 @@ isReservedIP(
## Examples
diff --git a/docs/search/search-query-language/search-operators/limit.md b/docs/search/search-query-language/search-operators/limit.md
index 2794f1c2c1..4ed9a2161c 100644
--- a/docs/search/search-query-language/search-operators/limit.md
+++ b/docs/search/search-query-language/search-operators/limit.md
@@ -4,6 +4,8 @@ title: limit Search Operator
sidebar_label: limit
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `limit` operator reduces the number of raw messages or aggregate results returned. If you simply query for a particular term, for example "error" without using an aggregation operator such as group by, limit will reduce the number of raw messages returned. If you first use group-by or other aggregation operator, the limit operator will reduce the number of grouped results instead.
The limit operator is useful for creating lists of events for a Dashboard, which allows you to see at a glance, for example, the "Top 10" service operations, system operations, errors, or other system or user activities.
@@ -46,7 +48,7 @@ error *
which would provide results similar to:
-
+})
**Top 10 Service Operations:**
@@ -65,6 +67,6 @@ _sourceCategory=OS/Windows Service Control Manager
which can be displayed in a bar chart like this:
-
+})
See [Sort](sort.md) operator for more information.
diff --git a/docs/search/search-query-language/search-operators/lookup-classic.md b/docs/search/search-query-language/search-operators/lookup-classic.md
index d585d92fad..7ce35e661a 100644
--- a/docs/search/search-query-language/search-operators/lookup-classic.md
+++ b/docs/search/search-query-language/search-operators/lookup-classic.md
@@ -4,6 +4,8 @@ title: lookup (Classic) Search Operator
sidebar_label: lookup (Classic)
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
:::note
This topic has information about the classic version of the `lookup` operator, which works with the classic Lookup Tables feature.
@@ -168,4 +170,4 @@ You only get the last associated value as a result.
For example, if you are searching your Apache Access logs from 34.87.4.6 and you are looking for an internal server errors by a specific keyid, lookup provides the last result that matches your criteria:
-
+})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/lookup.md b/docs/search/search-query-language/search-operators/lookup.md
index c3953c1440..e51b93e4b3 100644
--- a/docs/search/search-query-language/search-operators/lookup.md
+++ b/docs/search/search-query-language/search-operators/lookup.md
@@ -4,6 +4,8 @@ title: lookup Search Operator
sidebar_label: lookup
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `lookup` operator can return one or more fields from a lookup table hosted by Sumo Logic and add the fields to the log messages returned by your query. You create a lookup table using the lookup UI or the [Lookup API](/docs/api/lookup-tables). You can populate a lookup table by uploading a CSV file using the Lookup API, or by using the [`save` operator](/docs/search/search-query-language/search-operators/save) to save the results of a log query.
For information about lookup tables, see [Lookup Tables](/docs/search/lookup-tables/).
@@ -87,9 +89,9 @@ Where:
`/Library/Admin Recommended/Lookups/Approved Cloud Jump Stations`
- To determine the path to a lookup table, highlight the row for the table in the Sumo Logic Library, and select **Copy path to clipboard** from the three-dot kebab menu for the table.
+ To determine the path to a lookup table, highlight the row for the table in the Sumo Logic Library, and select **Copy path to clipboard** from the three-dot kebab menu for the table.
- 
+ })
* `joinColumn-x` is a list of pairs of field names that define the relationship between values in the log data results with matching values in the lookup table, for example:
diff --git a/docs/search/search-query-language/search-operators/luhn.md b/docs/search/search-query-language/search-operators/luhn.md
index 3ab6d5f4fa..c6cd034fb0 100644
--- a/docs/search/search-query-language/search-operators/luhn.md
+++ b/docs/search/search-query-language/search-operators/luhn.md
@@ -4,6 +4,8 @@ title: luhn Search Operator
sidebar_label: luhn
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `luhn` operator uses Luhn’s algorithm to check message logs for strings of numbers that may be credit card numbers and then validates them. It takes a string as an input, strips out all characters that are not numerals, and checks if the resulting string is a valid credit card number, returning true or false accordingly.
## Syntax
@@ -31,7 +33,7 @@ Use the following query to identify credit card numbers in message logs, and ver
which provides results such as:
-
+})
### Search for and verify a specific credit card number
@@ -44,4 +46,4 @@ Use the following query to search for a specific credit card number and verify i
It would provide the following results:
-
+})
diff --git a/docs/search/search-query-language/search-operators/matches.md b/docs/search/search-query-language/search-operators/matches.md
index 6403f4ff08..e2cf35c7ea 100644
--- a/docs/search/search-query-language/search-operators/matches.md
+++ b/docs/search/search-query-language/search-operators/matches.md
@@ -4,6 +4,8 @@ title: matches Search Operator
sidebar_label: matches
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `matches` operator can be used to match a string to a wildcard pattern or an RE2-compliant regex. The operator returns a boolean value; the operator can be used with the `where` or `if` operators.
You can use `matches` in Dashboard Panels and in conjunction with other operators to build robust queries.
@@ -89,7 +91,7 @@ _sourceCategory=Apache/Access
Produces aggregate results similar to the following, when you configure it to create a [stacked column chart](/docs/dashboards/panels/column-charts):
-
+})
### Viewing errors and warnings over time
@@ -111,7 +113,7 @@ _sourceCategory=OS/Windows (error or warning)
Produces results similar to the following, when you configure it to be visualized as a [line chart](/docs/dashboards/panels/line-charts):
-
+})
### Matching against parsed field values
diff --git a/docs/search/search-query-language/search-operators/now.md b/docs/search/search-query-language/search-operators/now.md
index cf11f243e8..efde768d20 100644
--- a/docs/search/search-query-language/search-operators/now.md
+++ b/docs/search/search-query-language/search-operators/now.md
@@ -4,6 +4,8 @@ title: now Search Operator
sidebar_label: now
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `now` returns the current epoch time in milliseconds. It can be used with the formatDate operator to get the formatted current time.
It is important to note that the Now operator outputs the exact time (down to the millisecond) each and every time it is executed. This means that if you use now with every message in a search, it will return slightly different results in every message, as messages are not all processed by your search at once.
@@ -26,7 +28,7 @@ This query returns a long version of the current date and time in milliseconds.
Which returns results similar to:
-
+})
### Return the current date using formatDate
@@ -38,6 +40,6 @@ Use the following query with formatDate to return results for the current date f
This returns the following results.
-
+})
For more examples, see [`formatDate`](formatdate.md) operator.
diff --git a/docs/search/search-query-language/search-operators/num.md b/docs/search/search-query-language/search-operators/num.md
index 68a1097b05..b2d9729f7a 100644
--- a/docs/search/search-query-language/search-operators/num.md
+++ b/docs/search/search-query-language/search-operators/num.md
@@ -4,6 +4,8 @@ title: num Search Operator
sidebar_label: num
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `num` operator converts a field to a double value (64-bit IEEE 754 double-precision floating-point number), which is twice as accurate as a float value (32-bit IEEE 754 single-precision floating-point number). Using `num` in a query can be useful for sorting results by number instead of alphabetically, which is the default.
@@ -29,4 +31,4 @@ _sourceCategory=concierge completed execution
This query produces results like this:
-
+})
diff --git a/docs/search/search-query-language/search-operators/outlier.md b/docs/search/search-query-language/search-operators/outlier.md
index e5ccc0fc36..941ab69005 100644
--- a/docs/search/search-query-language/search-operators/outlier.md
+++ b/docs/search/search-query-language/search-operators/outlier.md
@@ -4,6 +4,8 @@ title: outlier Search Operator
sidebar_label: outlier
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Given a series of time-stamped numerical values, using the `outlier` operator in a query can identify values in a sequence that seem unexpected, and would identify an alert or violation, for example, for a scheduled search.
To do this, the Outlier operator tracks the moving average and standard deviation of a numerical field. An outlier is identified based on a specified *threshold* of standard deviations around the expected value. If a data point is outside the threshold, it is considered to be an outlier.
@@ -86,7 +88,7 @@ _sourceCategory=IIS/Access
| outlier response_time window=5,threshold=3,consecutive=2,direction=+-
```
-
+})
The outlier values are represented by the pink triangles in the resulting chart.
@@ -104,7 +106,7 @@ _sourceCategory=Apache/Access
| outlier status_code window=5,threshold=3,consecutive=1,direction=+-
```
-
+})
The outlier values are represented by the pink triangles in the
resulting chart.
@@ -122,7 +124,7 @@ _sourceCategory=Apache/Access
This way, you can run outlier analysis separately for each value of `_sourceHost`, as shown.
-
+})
This example will only produce an aggregation table, not a chart, but the indicator and violation fields will correctly reflect each `_sourceHost` processing.
@@ -158,7 +160,7 @@ You can display the raw results of a multidimensional time series in a table cha
In the following table chart, a value of 1 in the `_count_violation` column indicates that the data point corresponding to that timeslice is
an outlier.
-
+})
### Alerts Based on Multidimensional Outlier Results
@@ -184,7 +186,7 @@ Once you have run the query, you can click **Save As** to create a [Scheduled Se
To visualize your results, on the Search page, you can create a column chart, then change the stacking property to normal to display alerts by unique **user_id** (the multidimensional aspect).
-
+})
### Chart Multidimensional Outlier Results
@@ -205,7 +207,7 @@ error (_sourceCategory=Apache* or _sourceCategory=IIS*)
When you select a [line chart](/docs/dashboards/panels/line-charts), this example will display something like the following:
-
+})
#### Example 2: Outlier Ranking
@@ -226,7 +228,7 @@ _sourceCategory=Apache*
When you select a [line chart](/docs/dashboards/panels/line-charts), this example will display something like the following:
-
+})
In the line chart, you can see which series is producing the most “deviating” outliers.
diff --git a/docs/search/search-query-language/search-operators/predict.md b/docs/search/search-query-language/search-operators/predict.md
index 587a0f8470..1814e0e6c0 100644
--- a/docs/search/search-query-language/search-operators/predict.md
+++ b/docs/search/search-query-language/search-operators/predict.md
@@ -4,6 +4,8 @@ title: predict Search Operator
sidebar_label: predict
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Uses a series of time-stamped numerical values to `predict` future values. The predict operator can be useful in the following cases:
* As an early warning system, alerting you when a threshold is about to be reached.
@@ -107,11 +109,11 @@ _sourceCategory=Labs/Apache/Access status_code=404 | timeslice 1m | count(status
The query returns an aggregation table with columns for `error_count`, `error_count_predicted`, and `error_count_error`.
-
+})
From here, you can select the **Line Chart** icon, and automatically create a Combo Chart that represents the `error_count_error` as a column chart, and the `error_count` and `error_count_predicted` mapped on top of that with separate lines. Note that the `(absolute value)_count_error` series is toggled off by default. Click it in the legend to display the column chart.
-
+})
### predict using auto-regressive model
@@ -123,12 +125,12 @@ _sourceCategory=Labs/Apache/Access status_code=404 | timeslice 1m | count(status
The query returns an aggregation table with columns for `error_count`, `error_count_predicted`, `error_count_linear`, and `_error_count_error`.
-
+})
From here, you can select the **Line Chart** icon, and automatically create a Combo Chart that represents the `error_count_error` as a column chart, and the `error_count` and `error_count_predicted` mapped on top of that with separate lines. Note that the `(absolute value)_count_error` series is toggled off by default. Click it in the legend to display the column chart.
-
+})
Note that, if desired, you can display the `_count_linear` series, to see the value predicted by the simple linear regression model by clicking it in the legend.
-
+})
diff --git a/docs/search/search-query-language/search-operators/replace.md b/docs/search/search-query-language/search-operators/replace.md
index 304ba684dc..f45a73e53d 100644
--- a/docs/search/search-query-language/search-operators/replace.md
+++ b/docs/search/search-query-language/search-operators/replace.md
@@ -4,6 +4,8 @@ title: replace Search Operator
sidebar_label: replace
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `replace` operator allows you to replace all instances of a specified string with another string. You can specify the string to replace with a matching regex or literal text. You might use it to find all instances of a name and change it to a new name or to replace punctuation in a field with different punctuation. This operator is useful anytime you need to rename something.
@@ -99,7 +101,7 @@ error
which provides results like:
-
+})
### Remove underscores from a field to make it human readable
diff --git a/docs/search/search-query-language/search-operators/rollingstd.md b/docs/search/search-query-language/search-operators/rollingstd.md
index c174dc1c34..e6d86ddc9c 100644
--- a/docs/search/search-query-language/search-operators/rollingstd.md
+++ b/docs/search/search-query-language/search-operators/rollingstd.md
@@ -4,6 +4,8 @@ title: rollingstd Search Operator
sidebar_label: rollingstd
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `rollingstd` operator finds the rolling standard deviation of a field, allowing you to identify changes over time.
For example, you'd use `rollingstd` in a query to identify spikes in activity for a Collector, or for a URL in your site. You can use a `rollingstd` to find compute the average number from the past, to identify changes (larger or smaller) over time.
@@ -42,7 +44,7 @@ _sourceCategory=katta
produces results like:
-
+})
### Find the rolling standard deviation of a field between time points
@@ -58,11 +60,11 @@ Using `rollingstd` with `timeslice`, you can run a query similar to:
that produces results like:
-
+})
The aggregation table can be made into an area chart, like this:
-
+})
### Specify a window length of 5, but only 4 data points are available
@@ -80,6 +82,6 @@ _sourceCategory=katta
which produces results like:
-
+})
`rollingstd` is also used with the [backshift](backshift.md) operator.
diff --git a/docs/search/search-query-language/search-operators/sessionize.md b/docs/search/search-query-language/search-operators/sessionize.md
index 736d688ef3..c5c74cd20b 100644
--- a/docs/search/search-query-language/search-operators/sessionize.md
+++ b/docs/search/search-query-language/search-operators/sessionize.md
@@ -4,13 +4,15 @@ title: sessionize Search Operator
sidebar_label: sessionize
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `sessionize` operator allows you to use an extracted value from one log message (generated from one system) to find correlating values in log messages from other systems. After you run `sessionize`, these related events are displayed on the same page. The thread of logs woven together is called a _session_.
Depending on your use case, you'd also use the [join](join.md) operator, which may be more appropriate and easier to use.
For example, let's say we have the value of a userRequestId, which entered a distributed system; the request goes through systems named Service, Stream, and Config:
-
+})
Each system generated log messages, so we know that at some point a failure occurred. We know the userRequestID value from the log files from the Service machine, and we know the serviceSessionId, streamRequestId, and configSessionId. Using **sessionize**, we can weave together these disparate logs to identify where the failure occurred.
@@ -56,4 +58,4 @@ _sourceCategory=OS/Windows
Here's an example of the results from this query:
-
+})
diff --git a/docs/search/search-query-language/search-operators/smooth.md b/docs/search/search-query-language/search-operators/smooth.md
index 1a1835f5bc..b850faf1be 100644
--- a/docs/search/search-query-language/search-operators/smooth.md
+++ b/docs/search/search-query-language/search-operators/smooth.md
@@ -4,6 +4,8 @@ title: smooth Search Operator
sidebar_label: smooth
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `smooth` operator calculates the rolling (or moving) average of a field, measuring the average of a value to "smooth" random variation. Smooth operator reveals trends in the data set you include in a query.
Within a query that contains a smooth operator you will choose a window (described as window_length in the syntax below); the average of the values within the window creates a data point.
@@ -44,7 +46,7 @@ _sourceCategory=katta
produces results like:
-
+})
### Smooth the difference of a quantity between time points
@@ -60,7 +62,7 @@ Using smooth with timeslice, you can run a query similar to:
that produces results like:
-
+})
### Use backshift with smooth and rollingstd to view the averages of incoming bytes
@@ -80,7 +82,7 @@ Running a query like:
produces results similar to:
-
+})
### Specify a window length of 5, but only 4 data points are available
@@ -97,4 +99,4 @@ _sourceCategory=katta
produces results like:
-
+})
diff --git a/docs/search/search-query-language/search-operators/sort.md b/docs/search/search-query-language/search-operators/sort.md
index d80f4d8165..cfd811f3b6 100644
--- a/docs/search/search-query-language/search-operators/sort.md
+++ b/docs/search/search-query-language/search-operators/sort.md
@@ -4,6 +4,8 @@ title: sort Search Operator
sidebar_label: sort
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `sort` operator orders aggregated search results. The default sort order is descending. Then you can use the top or limit operators to reduce the number of sorted results returned.
The `order` operator is synonymous with the `sort` operator. You can use them interchangeably in your queries.
@@ -73,6 +75,6 @@ _sourceCategory=Labs/Apache/Access
which provides results like:
-
+})
For more information, see [Top](top.md) operator or [Limit](limit.md) operator.
diff --git a/docs/search/search-query-language/search-operators/timeslice.md b/docs/search/search-query-language/search-operators/timeslice.md
index 53fec50076..035de262ec 100644
--- a/docs/search/search-query-language/search-operators/timeslice.md
+++ b/docs/search/search-query-language/search-operators/timeslice.md
@@ -4,6 +4,7 @@ title: timeslice Search Operator
sidebar_label: timeslice
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
import AlertsTimeslice from '../../../reuse/alerts-timeslice.md';
The `timeslice` operator aggregates data by time period, so you can create bucketed results based on a fixed interval (for example, five-minute buckets). Timeslice also supports creating a fixed-target number of buckets, for example, 150 buckets over the last 60 minutes.
@@ -57,7 +58,7 @@ Successful logins per hour.
| count by _timeslice
```
-
+})
### Known Issue
@@ -124,7 +125,7 @@ _sourceCategory=Apache/Access
This query produces these results in the Aggregates tab, which you can
display as a column chart.
-
+})
**Example 2:** All computer access to Sumo Logic over time.
@@ -138,7 +139,7 @@ _sourceCategory=*IIS*
This query produces these results in the Aggregates tab, which you can display as a stacked column chart:
-
+})
**Example 3:** Monitoring non-normal status codes (400s and 500s) on Apache servers.
@@ -153,4 +154,4 @@ _sourceCategory=Apache/Access
This query produces these results in the Aggregates tab, which you can display as an area chart:
-
+})
diff --git a/docs/search/search-query-language/search-operators/tolowercase-touppercase.md b/docs/search/search-query-language/search-operators/tolowercase-touppercase.md
index 60171dafa6..2c8dd9e783 100644
--- a/docs/search/search-query-language/search-operators/tolowercase-touppercase.md
+++ b/docs/search/search-query-language/search-operators/tolowercase-touppercase.md
@@ -4,6 +4,8 @@ title: toLowerCase, toUpperCase Search Operators
sidebar_label: toLowerCase, toUpperCase
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `toLowerCase` operator takes a string and converts it to all lower case letters. The `toUpperCase` operator takes a string and converts it to all uppercase letters.
These operators can be useful for normalizing source logs with inconsistent capitalization, such as Windows Event logs, or changing file names and paths for files systems that require all lower case letters. They are especially useful for queries that include conditionals and grouping, in order to reduce the number of groups in the search results.
@@ -40,7 +42,7 @@ _sourceCategory=service OR _sourceCategory=search
which provides results like:
-
+})
### Using toLowerCase or toUpperCase with an equating condition
@@ -78,7 +80,7 @@ _sourceCategory=service OR _sourceCategory=search
which produces results like:
-
+})
### Find a user name and convert it to lowercase
diff --git a/docs/search/search-query-language/search-operators/top.md b/docs/search/search-query-language/search-operators/top.md
index 569c0aecb7..75e18889e2 100644
--- a/docs/search/search-query-language/search-operators/top.md
+++ b/docs/search/search-query-language/search-operators/top.md
@@ -4,6 +4,8 @@ title: top Search Operator
sidebar_label: top
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Use the `top` operator with the [`sort`](/docs/search/search-query-language/search-operators/sort) operator to reduce the number of sorted results returned.
:::tip
@@ -28,7 +30,7 @@ error | top 5 _sourceCategory
which produces results like:
-
+})
You can use the following query to get the same results, but make the
count explicit:
@@ -48,4 +50,4 @@ error | top 10 _sourceCategory by _messagetime
which produces results like:
-
+})
diff --git a/docs/search/search-query-language/search-operators/topk.md b/docs/search/search-query-language/search-operators/topk.md
index 5cd34c885a..5baf2c323c 100644
--- a/docs/search/search-query-language/search-operators/topk.md
+++ b/docs/search/search-query-language/search-operators/topk.md
@@ -4,6 +4,8 @@ title: topk Search Operator
sidebar_label: topk
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `topk` operator allows you to select the top values from fields and group them by fields. It can replace the `top` operator and adds the ability to choose the top of top.
:::tip
@@ -35,7 +37,7 @@ error
| topk(5, _count)
```
-
+})
#### Top 2 results
@@ -50,7 +52,7 @@ error
Let's figure out what is the maximum error count for each sourceHost for the given time range slightly changing our query. We’ll add a by clause to the given operator and provide sourceHost as an argument. This tells the system that we want to look for the top “x” counts for each source Host.
-
+}){kind=icon}
Find the top two source host, source category pairs.
@@ -63,4 +65,4 @@ error
We can specify more than one argument to group by. In the query above, we are looking for the top 2 results for each source host, source Category pairs.
-
+})
\ No newline at end of file
diff --git a/docs/search/search-query-language/search-operators/total.md b/docs/search/search-query-language/search-operators/total.md
index f93c1c3dc9..580d6a25de 100644
--- a/docs/search/search-query-language/search-operators/total.md
+++ b/docs/search/search-query-language/search-operators/total.md
@@ -4,6 +4,8 @@ title: total Search Operator
sidebar_label: total
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `total` operator inserts the sum of a set of fields into every row of the set. Unlike the sum operator, which produces an aggregate value, the total operator inserts the total value as a new column, enabling expressions that compare an individual value to the total.
## Syntax
@@ -39,7 +41,7 @@ In this example, you can find the total data (bytes) transmitted for a time rang
produces results similar to:
-
+})
Note that the t_data value of 16,761,621,241.25455 is the sum of the data field in all rows, many of which are not visible here.
@@ -51,7 +53,7 @@ This query produces only three results, illustrating that _total is simply the s
| total ps
```
-
+})
#### Calculate totals by message time
@@ -80,4 +82,4 @@ _sourceCategory=IIS (Wyatt OR Luke)
produces results similar to:
-
+})
diff --git a/docs/search/search-query-language/search-operators/tourl.md b/docs/search/search-query-language/search-operators/tourl.md
index 977ec5b322..d88b714881 100644
--- a/docs/search/search-query-language/search-operators/tourl.md
+++ b/docs/search/search-query-language/search-operators/tourl.md
@@ -4,6 +4,8 @@ title: tourl Search Operator
sidebar_label: tourl
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `tourl` operator provides you the ability to assign a short name that describes the URL. It is similar to creating a href for the URL with a short name. URLs are generally long and they do not tell you what information is displayed when the URL is opened. A common benefit of using this operator is to provide a description of a URL to display in dashboards.
@@ -38,7 +40,7 @@ When your URL points to another Sumo Logic feature from your account, such as a
Right-click the link to view the tab-options menu:
-
+})
If you do not see the menu, it is not a supported link.
@@ -58,7 +60,7 @@ If you’re sharing the Akamai Denials by Host search query in a dashboard with
When you add this to a dashboard, you’ll see the short name. When you click the link, it will open the Akamai denials by host search query.
-
+})
#### Using a column for short name, and a prefix
@@ -78,8 +80,8 @@ Notice the query uses the value `"Scheduled search failed at: "` as the value fo
The query result will be:
-
+})
When you add the result to a dashboard, you’ll see the short name. When you click the link, it will take you to the scheduled search query.
-
+})
diff --git a/docs/search/search-query-language/search-operators/trace.md b/docs/search/search-query-language/search-operators/trace.md
index dcb20e1acb..7ca627c0f3 100644
--- a/docs/search/search-query-language/search-operators/trace.md
+++ b/docs/search/search-query-language/search-operators/trace.md
@@ -4,6 +4,8 @@ title: trace Search Operator
sidebar_label: trace
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `trace` operator acts as a highly sophisticated filter to connect the dots across different log messages. You can use any identifying value with a trace operator, such as a user ID, IP address, or session ID, to retrieve a comprehensive set of activity associated to that original ID.
Trace operators require the following:
@@ -21,7 +23,7 @@ trace "})
Imagine that an error happened at some point in the process, generating an error including "PROCESSING FAILED: webID=7F92. Starting from this information, we can use a trace operator in our query to following the chain of activity:
@@ -50,7 +52,7 @@ We want to trace all Windows logins moving forward (+), starting from John's wor
* "EventIdentifier 4624" "\nLogon Type:\t\t\t10" OR "\nLogon Type:\t\t\t2"| trace + "(?:Computer|Workstation )Name(?: = \"|:\\t)?(.+?)(?:\"|\s)" "JohnWorkstation.example.com" | extract "ComputerName = \"(?})
Trace tells us that from John's Workstation there was a login event to WIN1.example.com, from which there was a login to WIN2.example.com and then to WIN3.example.com within the same time frame. While we may not know if these login events were from the same person, it helps to determine potentially affected hosts (especially since generic usernames were used as well as an Administrator).
@@ -62,6 +64,6 @@ We want to build a chain of events going backwards in time (-) from a compromise
* "EventIdentifier = 4624" "\nLogon Type:\t\t\t10" OR "\nLogon Type:\t\t\t3"| trace - "(?:Computer|Workstation )Name(?: = \"|:\\t)?(.+?)(?:\"|\s)" "WIN3.example.com" | extract "ComputerName = \"(?})
From these results, we can see that for WIN3.example.com there was a login event from WIN2.example.com from which there was another login event from WIN1.example.com. WIN1.example.com was logged into by John from his workstation, allowing us to identify the attacker.
diff --git a/docs/search/search-query-language/search-operators/transpose.md b/docs/search/search-query-language/search-operators/transpose.md
index 3da01c3c70..fe40120dba 100644
--- a/docs/search/search-query-language/search-operators/transpose.md
+++ b/docs/search/search-query-language/search-operators/transpose.md
@@ -4,6 +4,8 @@ title: transpose Search Operator
sidebar_label: transpose
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Similar to a Pivot Table in Excel, the `transpose` operator allows you to take a list and turn it into a table in the Aggregates tab, as shown by the examples below. You can define what data makes the rows and columns.
Without `transpose`, the following query renders a factual, but not useful table below:
@@ -14,7 +16,7 @@ _sourceCategory=Labs/Apache/Access
| count by _timeslice, status_code
```
-
+})
With `transpose`, you can use your query to define your rows as the `timeslice` and the columns as the status code:
@@ -25,7 +27,7 @@ _sourceCategory=Labs/Apache/Access
| transpose row _timeslice column status_code
```
-
+})
To make this information present as a table, transpose dynamically creates columns for aggregate search results. This allows you to change the output of a query by turning search results into fields, so you can design queries without first knowing the output schema. In this way, transpose formats the data correctly for charts in Dashboard Panels.
@@ -33,11 +35,11 @@ For example, the screenshots below represent the same data from the same time ra
Without transpose, the data is represented according to timeslice, but not aggregated by status code:
-
+})
With transpose, the results display in an easy-to-read manner status codes by timeslice:
-
+})
## Syntax
@@ -78,7 +80,7 @@ error | parse "module=*]" asmodule| timeslice 1m
will produce results with each module represented with a distinct color, similar to:
-
+})
Try changing the Stacking setting (under Change Properties) to **Normal** to see how graphs are affected by this option. For more information, see [Chart Search Results](/docs/search/get-started-with-search/search-basics/chart-search-results).
@@ -96,7 +98,7 @@ _sourceCategory=service
will produce a stacked graph similar to:
-
+})
#### View web server status codes
@@ -111,11 +113,11 @@ _sourceCategory=Apache/Access
Results are initially returned in the **Aggregates** tab in the form that we want.
-
+})
Then you can select the **Column** chart button, and under **Change Properties**, set the **Stacking** setting to **Normal** to create a stacked column chart.
-
+})
For information on handling null fields, see [isNull](/docs/search/search-query-language/search-operators/isnull-isempty-isblank#isnullstring) operator.
diff --git a/docs/search/search-query-language/search-operators/urlencode.md b/docs/search/search-query-language/search-operators/urlencode.md
index a8e88f1f13..44352794c5 100644
--- a/docs/search/search-query-language/search-operators/urlencode.md
+++ b/docs/search/search-query-language/search-operators/urlencode.md
@@ -4,6 +4,8 @@ title: urlencode Search Operator
sidebar_label: urlencode
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The `urlencode` operator encodes the URL into an ASCII character set. This is the standard format in which URLs can be sent over the internet.
For example, if your URL looks like this:
@@ -40,4 +42,4 @@ _sourceCategory=pagerduty
The query returns the field `url` encoded:
-
+})
diff --git a/docs/search/search-query-language/transaction-analytics/flow-diagrams.md b/docs/search/search-query-language/transaction-analytics/flow-diagrams.md
index 7c16368bb4..a8f8fc1cc7 100644
--- a/docs/search/search-query-language/transaction-analytics/flow-diagrams.md
+++ b/docs/search/search-query-language/transaction-analytics/flow-diagrams.md
@@ -3,13 +3,15 @@ id: flow-diagrams
title: Flow Diagrams
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The Sankey diagram, a specific type of flow diagram, uses the width of an arrow or stripe to show the proportion of a quantity. In Sumo Logic, Flow Diagrams can show the flow within a distributed system, for example, or can be used to see how customers flow through your website via states, which are triggered by log events. These states can show you how long customers take to complete purchases, or even where users are dropping off your site or app.
Flow diagrams can be used as part of a saved search, or in a [dashboard](/docs/dashboards/panels/sankey-charts/).
The Sankey chart works with the [`transaction`](/docs/search/search-query-language/transaction-analytics) operator. When constructing your query, you will define the edges of the chart's lines; Sumo Logic sorts each transaction type into the correct flow line using the states defined in your query.
-
+})
After creating a Flow Diagram, you can hover over any line in the diagram to see additional details between the two states, including loop backs. Additionally, you can click a line to run a drill down search on just that data.
@@ -18,7 +20,7 @@ Sankey diagrams are named after Irish Captain Matthew Sankey, an engineer who us
## Creating Flow Diagrams
1. Run a search using a transaction operator. Make sure to include `fromstate` arguments to order the data properly.
-1. In the Aggregates tab of the **Search** page, click the **Flow Diagram** icon. +1. In the Aggregates tab of the **Search** page, click the **Flow Diagram** icon.
})
1. Save the search as a Flow Diagram to run again later.
## Drilling down into Flow Diagram lines
@@ -28,7 +30,7 @@ any line in the diagram.
To drill down in a Flow Diagram:
-1. After running a transaction operator query, hover over a line in the Flow Diagram. +1. After running a transaction operator query, hover over a line in the Flow Diagram.
})
1. Click the line.
1. A new search tab opens, and the query that represents the states of the flow runs.
@@ -36,4 +38,4 @@ To drill down in a Flow Diagram:
**Loop backs** in the flow (order) of states are tracked and displayed as red lines looping over the respective states in the flow diagram. You can hover over the loops to view the number of occurrences respective states had returned to a previous state.
-
+})
diff --git a/docs/search/search-query-language/transaction-analytics/merge-operator.md b/docs/search/search-query-language/transaction-analytics/merge-operator.md
index 42aa131d69..5b6934e9ae 100644
--- a/docs/search/search-query-language/transaction-analytics/merge-operator.md
+++ b/docs/search/search-query-language/transaction-analytics/merge-operator.md
@@ -3,7 +3,7 @@ id: merge-operator
title: Merge Operator
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
The Merge operator reduces a stream of events to a single event using a specified merge strategy. It is particularly useful as a subquery for the [Transactionize](transactionize-operator.md) operator. Each field can have a different merge strategy:
@@ -45,7 +45,7 @@ The following query:
produces a result something like this:
-
+})
A common case for using the merge operator with the [`transactionize`](transactionize-operator.md) operator is when all log messages have a common field, such as **`transaction_id`** or **`request_id`**. Using the `merge` operator with `transactionize` merges all the messages with the common fields, for example:
@@ -57,4 +57,4 @@ _sourceCategory=travelweb
Which provides results like the following. Notice that all the logs from the same IP are now grouped in one record.
-
+})
diff --git a/docs/search/search-query-language/transaction-analytics/transaction-operator.md b/docs/search/search-query-language/transaction-analytics/transaction-operator.md
index 23ea2a7864..496131c69e 100644
--- a/docs/search/search-query-language/transaction-analytics/transaction-operator.md
+++ b/docs/search/search-query-language/transaction-analytics/transaction-operator.md
@@ -3,7 +3,7 @@ id: transaction-operator
title: Transaction Operator
---
-
+import useBaseUrl from '@docusaurus/useBaseUrl';
No matter what type of data you are analyzing, from tracking website sign ups, to e-commerce data, to watching system activity across a distributed system, the transaction operator can be used in a variety of use cases. Ultimately, data is always ordered, at least by timestamp. But during analysis, the transaction operator can process otherwise unordered data and produce results using ordered data (data that has an ordered flow).
@@ -118,7 +118,7 @@ _sourceCategory=oursite
| transaction on ip with states aboutus, company, blog, shopping, api in urlprefix
```
-
+})
})
## Specifying a fringe cut-off
@@ -215,7 +215,7 @@ _source=Syslog (New session) OR (Session deleted)
You reference the `_end_time` and `_start_time` fields to calculate the duration of the `sessionid`.
-
+})
### Detecting a potential e-commerce failure
@@ -239,8 +239,8 @@ results by flow
could produce a Flow Diagram with normal drop-off rates at the different states: `cart`, `shipping`, `billing`, `billingVerification`, `confirmation`, and `ordershipped`.
-
+})
Now, if you ran this query and saw results as shown below, where there is a big drop-off at the verification state, you'd determine that there is likely a problem with the verification service and start an investigation.
-
+})
diff --git a/docs/search/search-query-language/transaction-analytics/transactionize-operator.md b/docs/search/search-query-language/transaction-analytics/transactionize-operator.md
index afc4f4b448..2a8552015a 100644
--- a/docs/search/search-query-language/transaction-analytics/transactionize-operator.md
+++ b/docs/search/search-query-language/transaction-analytics/transactionize-operator.md
@@ -3,6 +3,8 @@ id: transactionize-operator
title: Transactionize Operator
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
The _Transactionize_ operator groups log messages that match on any fields you specify. The groups created from the specified fields become the **transactions**.
Unlike other "group by" operators, where the logs in a group must match on all defined fields, `transactionize` just needs one field to match in order to assign logs to the same group.
@@ -89,7 +91,7 @@ To group the logs that belong to the same request, we can use [parse nodrop](/do
For example:
-
+})
:::note
To see an example of using the `transactionize` operator with merge, see [`merge` operator](merge-operator.md).
diff --git a/docs/search/subqueries.md b/docs/search/subqueries.md
index cf16ce4b58..1a264e375a 100644
--- a/docs/search/subqueries.md
+++ b/docs/search/subqueries.md
@@ -3,6 +3,8 @@ id: subqueries
title: Subqueries
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Subqueries allow you to filter and evaluate conditions for a query when you may not be sure of the exact filter or condition criteria, and you can write a short query to set them for you.
Subqueries use one query to pass results back to another query to narrow down or evaluate the set of messages that are searched in that query. Sometimes this offers a faster approach than a [`join`](/docs/search/search-query-language/search-operators/join), where you'd have to unite large sets of data and then search through the results to form a conclusion. If you can do some processing to narrow down the scope of data, you can form a subquery.
@@ -171,7 +173,7 @@ _sourceCategory=reinvent/travel/checkout 243.63.233.30
With a subquery, we can pass the IP address that is highlighted from a child query to this parent query as a keyword in its search expression.
-
+})
### Step 2: Create a child query
@@ -185,7 +187,7 @@ _sourceCategory=reinvent/travel/nginx
The result of this query has the IP address (243.63.233.30) we want to pass to the parent query.
-
+})
### Step 3: Create a subquery
@@ -216,7 +218,7 @@ _sourceCategory=reinvent/travel/checkout
Since we only want to pass the IP address back as a keyword we specified the `src_ip` field and the `keywords` argument with `compose`.
-
+})
#### Without keywords
@@ -257,7 +259,7 @@ _sourceCategory=reinvent/travel/checkout
| count by funcname
```
-
+})
#### If
@@ -447,12 +449,12 @@ These concepts are covered in [How to Build a Search](/docs/search/get-started-w
* Your queries will perform better if you have the child query in the search expression (before the first pipe, `|`), rather than having it in the filter clause. The below examples highlight this point. In the first, we use subquery before the first pipe and it executes in 17 seconds:
- 
+ })
`compare` that to where subquery is used in the where clause and you
can see it takes 29 seconds to execute:
- 
+ })
* If the child query is used to build the filter clause, try having the filter clause close to the search expression (rather than having it further down in the query to improve performance. Your query should be more like the one on the right.
@@ -477,7 +479,7 @@ These concepts are covered in [How to Build a Search](/docs/search/get-started-w
* Run the child query in a separate tab first. Append the compose operator at the end of that query to check the results that are returned. When you are happy with the query, copy it into your main subquery. This pre-testing reduces the chances of creating queries that generate incorrect results. The screenshot shows how you can build your child query in a separate tab using compose operator.
- 
+ })
* If the subquery is generating too many records, try reducing the time range of the query.
* If the subquery returns more than 10000 results or exceeds the 100MB memory limit, you will receive the following error message:
diff --git a/docs/search/time-compare.md b/docs/search/time-compare.md
index 9e35237575..731faf7375 100644
--- a/docs/search/time-compare.md
+++ b/docs/search/time-compare.md
@@ -77,7 +77,7 @@ Then, from the **Time Compare** button, select **Custom**, and set the **Cus
From the results in the **Aggregates** tab, you can select the line chart icon, and display your results as:
-
+})
For more compare operator examples, see [Examples](./time-compare.md).
@@ -134,7 +134,7 @@ The following query returns results from the present, along with results from ev
Which can be displayed visually as:
-
+
The following query returns result from the present with results from the same day in the last 3 weeks. So if today is Monday, then this query will show a result for today and the last three Mondays.
@@ -158,7 +158,7 @@ The following query returns results from the present along with the average of t
Which can be displayed visually as:
-
+
Other examples:
@@ -239,11 +239,11 @@ error
The query returns results from both today and two days ago, with each day in its separate column. Today's results are represented by `_count`.
-
+
Create a line chart to visualize the results.
-
+
Using the multiple comparison feature, you can compare the number of logs against every ten minutes of the past hour:
@@ -256,11 +256,11 @@ _sourceHost = prod
Each 10-minute period produces its own column in the output table:
-
+
Create a line chart to visualize the results.
-
+
Alternatively, you can compare against the average of all the ten minute periods:
@@ -271,11 +271,11 @@ _sourceHost = prod
| compare timeshift 10m 5 avg
```
-
+
Create a line chart to visualize the results.
-
+
### Compare categorical data parsed from logs
@@ -290,11 +290,11 @@ Use compare to analyze the change in delays on different `_sourceHosts` using pa
This example computes the average delay per `_sourceHost`, and compares with results from 30 minutes ago.
-
+
These results would create a line chart such as the following.
-
+
### Compare after a Transpose operation
@@ -327,7 +327,7 @@ You can then use this query to build the scheduled search email alert.
1. On the Search page, under the query box, click **Save As**.
1. Click **Schedule this search**.
-1. For **Run frequency**, select the time period at which you want to schedule this search. For this alert, we have selected **Every 2 Hours**. +1. For **Run frequency**, select the time period at which you want to schedule this search. For this alert, we have selected **Every 2 Hours**.
})
1. For **Send notification**, select **if the following condition is met**.
1. For **Alert condition**, select **Greater than >,** and for **Number of results **enter **5**.
1. For **Alert Type**, select **Email**.