Skip to main content
Sumo Logic

Detect Patterns with LogReduce

The LogReduce algorithm uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided.

The Signatures tab displays LogReduce results as signatures. A signature is basically a reflection of the logs grouped by LogReduce—not all logs grouped in a signature will exactly match it. Within a signature, fields that vary are displayed with wildcard placeholders (**********) while other fields, such as timestamp (and some URLs) are ignored and replaced with placeholder variables such as $DATE and $URL.

You can refine the results of the LogReduce algorithm to make the outcome more generic or more specific. See Influencing the LogReduce Outcome for more information.

Will my LogReduce search results match my keyword search results?

Generally speaking, no. LogReduce is intended to be a jumping-off point for your analysis. Unlike a keyword search, where you're looking for data related to, say, a specific Source or an error message, LogReduce returns signatures that contain messages that may be of interest to you using fuzzy logic. If you're not happy with a signature, you can teach LogReduce how you'd like the results to be made more specific. Don't think of a signature as an example of what logs are grouped under it; instead think of a signature as a reflection of what LogReduce thinks you'll find interesting if that signature catches your eye. Once you begin digging in to LogReduce results, you'll then want to structure a keyword query that delivers precise results.

Running a LogReduce query

When you run a LogReduce query, you can first filter results with a simple string or metadata expression, or you can just type a wildcard (*). Specify a reasonable time period, service, or geographic region. Follow your keyword expression with the logreduce operator to group the resulting logs into meaningful groups of messages called logreduce operator to group the resulting logs into meaningful groups of messages called signatures. When running a LogReduce query, you will often see signatures change as the algorithm sorts through the resulting data and works to determine the best signature assignments for messages.

To run a LogReduce query:

  1. In the search query field, enter a keyword string or a metadata tag (for example, _sourceCategory="Western Region") to initially filter messages to some category, or you can just type a wildcard (*).
  2. Then type a pipe symbol (|) and the logreduce operator. (You may also use the summarize operator, as it is a synonym.) For example, to LogReduce messages for your "CustomerAccounts" module, type:

    CustomerAccounts | logreduce
     

  3. Press enter or click Start. Results appear in the Signatures tab. Do any of the following:
  • Click the Messages tab to see the individual messages for all signatures combined.
  • To see the messages grouped in a signature, select the check box for the signature, and then click View Details. A new Search tab opens, the details operator is added to the query, and the messages are displayed. You can check more than one box to see the results in time <<>> order in the new Searchtab.
  • To export the results, click the Export icon. Then click Download to save the file to your computer.
  • To save the query as a LogCompare Saved Baseline operation, click the Save Baseline button. Enter a Name for the baseline and then click Save.

logreduce_ui_all_921x431.png

  1. Promote, Demote, and Split icons. 
  2. Undo and Redo icons. 
  3. Click to view messages for the selected signature.
  4. Click to save the query as a Baseline.
  5. Click to download the LogReduce report.

Investigating the Others signature

Messages that Sumo Logic cannot readily group are separated into a distinct signature called Others. These signatures might contain simple, miscellaneous messages that are of low importance, or it might show some anomalous messages that are meaningful. To fully understand Others signatures, a human needs to investigate further.

To investigate the messages in the Others signature:

  1. Select the check box and click View Details.
  2. Sumo Logic runs the LogReduce algorithm on the signature with the details operator, and then displays the resulting sub-signatures.