Skip to main content
Sumo Logic

Influence the LogReduce Outcome

The algorithm used for the logreduce operator uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided. LogReduce data is based on the data available to the algorithm during the time range of your search. In some cases, this data sampling produces results that don't meet your needs. You can influence the algorithm by editing a signature to make the results more general, or see more granular results by splitting a signature. In addition you can promote or demote a signature to help Sumo Logic understand what data is the most relevant to you.

The following icons allow you to change the results of a LogReduce report:

Icon Action
Summarize_thumbs_up_24x26.png Promote a signature to the top position of the Signatures tab.
Summarize_thumbs_down_22x22.png Demote a signature to move it to the bottom of the last page of the Signatures tab.
summarize-break-out.png Split a signature into multiple signature.
Summarize_edit_icon.png Edit a signature.
summarize-undo.png Undo the last action or step back through the history of changes.
summarize-redo.png Redo the last action. Repeat to redo the history of undos.

Promoting or Demoting a LogReduce Signature

When viewing LogReduce results, you can promote a signature to indicate to Sumo Logic that the data included in the signature is exceptionally relevant to you. This feedback is taken into consideration when you run LogReduce the next time. If you click the thumbs down button to demote a signature, Sumo Logic also learns that the data contained in the signature isn't highly relevant; in future searches signatures containing that data won't appear in the top of the results tab.

If, however, you run a saved search containing LogReduce, promoting or demoting a signature will apply only to the results of the single search, and won't be applied to searches you run ad-hoc. In other words, the promotion or demotion is retained only in the context of the saved search results you're viewing.

Promote a signature

Click the thumbs up icon to move the signature to the top position in the Signatures tab.


Demote a signature

Click the thumbs down icon to move the signature to the bottom of the last page in the Signatures tab.


Splitting a signature

If you'd like to see more granular results, you can split a signature. When you split a signature, you'll notice that fewer wildcard asterisks will appear; instead specific values are included in the signatures. Even though the data is more specific, the results after splitting a signature will still be fuzzy because the LogReduce algorithm bases results only on the window of time you've run the search against.

After you split a signature, the position of the signatures may move (one may even move to another page of results). Each line is still highlighted in yellow so you can easily identify them.

For example, you've selected a signature to split. The hostId shouldn't be generic; by splitting the signature you should get more specific results.


After splitting, you'll see that each signature has specific data:


Split a signature

Click the Split icon next to the signature you'd like to split.