Skip to main content
Sumo Logic

Getting the Most out of Sumo Logic

Attend a Quickstart Training Webinar

If you and your team have not yet attended our live Quickstart training, please register for the next session. The session is FREE for all Sumo Logic users and we will be covering the basics of: 

  • Setting your user preferences
  • Constructing a search (parsing, aggregation, limits, and more)
  • Saving and publishing searches
  • Creating and modifying dashboards
  • Scheduling searches and creating alerts
  • Using advanced analytic (LogReduce, outlier detection)

If you cannot join us live, you can also watch a previously recorded webinar.

Or for a text version, see the Quick Start Tutorials.

Enable the Audit Index and Install the Sumo Logic Audit App

The Sumo Logic Audit Index provides information on the internal events that occur in your account associated with account management, user activity, scheduled searches, and more. Events report audit messages, and these event messages are collected in the Audit Index to give you better visibility into your account usage.

To enable the Audit Index feature:

Use the instructions in Enable and Manage the Audit Index

To install the app:

Use the instructions in Sumo Logic Audit App.  

Enable the Data Volume Index and Install the Data Volume App

The Data Volume Index provides data that allows you to understand your account’s data ingest volume in bytes and number of log messages processed overall. The Data Volume Index gives you better visibility into how much data you are sending to Sumo Logic, allowing you to proactively manage your systems’ behavior and to fine tune your data ingest with respect to the data plan tied to your Sumo Logic subscription.

Once enabled, you can access the Data Volume Index using the search query: _index=sumologic_volume

To enable the Data Volume Index:

Use the instructions in Enable and Manage the Data Volume Index

To install the app:

Use the instructions in Sumo Logic Data Volume App

Enable the Sumo Logic Support Account

Administrators can decide to enable a Sumo Logic support account, which grants very select Sumo Logic representatives access to your organization's account, allowing them to resolve issues that arise. Admins can choose to keep the Support Account enabled full-time, or the account can be disabled when no issues are being investigated.

When a support account is enabled, a special user is added to your organization's Sumo Logic account, named Sumo Logic Support. This is the user that Sumo Logic support agents will use to log into your organization's account to troubleshoot issues. If you disable your support account, the Sumo Logic Support user account is disabled. It's important to remember to capture any content created by the Sumo Logic user account before disabling it.

To enable a Support Account:

Use the instructions in Enable a Support Account.  

Create a Source Category Naming Convention

Read our Best Practices document: Good Source Category, Bad Source Category.

A robust source category naming scheme will offer the following advantages:

  1. It simplifies searching syntax and scope definition. This is the primary reason for doing this, as it will make Sumo Logic easier to use. Ideally, users should be able to easily run searches across all related logs sourced from different machines.

    … instead of …
    (_collector=win_2008_server1 OR _collector=win_2012_server1 OR _collector=win_2008_server2)
  2. It simplifies the configuration of Role-Based Access Controls (RBAC). For example, you may need to create a new role, titled, “Network Engineer”. The rule associated with that role could be _sourceCategory=Networking/*. This metadata tag would then be prepended to all queries executed by someone with this role.  

    To learn more about RBAC filtering, refer to Users and Roles
  3. It helps create intuitive partition schemes that do not require editing. Ideally, you will never have to edit partitions. Editing partitions currently requires a new name to be created, which means users will have to be reeducated. To learn more about partitioning your data, see Partitions

Start with the most generic description of your messages on the left and add layers of increasingly specific data descriptors to the right. Depending on the complexity of your organization and your technology stack, you can have many layers in your source category name. Here are a few examples:

  • Networking/Firewall/Cisco/FWSM
  • Networking/Switch/Cisco/ASA
  • OS/Windows/2012/Security
  • Prod/Sumologic/Web/Apache/Access

Review the Documentation

Review the complete set of Sumo Logic product documentation on DocHub, which will help you get started with our service.