Skip to main content
Sumo Logic



  • Absolute expressions    
    Used in time range expressions, when setting a specific time range of a search. For example, 04/01/2018 20:32:00 to 04/01/2018 20:35:00 will run the search from April 1st, 2018 at 8:32 PM until April 1st, 2018 at 8:35 PM.
  • Access Key 
    A key, generated by Sumo Logic, that you use to securely register new Collectors and to access Sumo APIs.
  • Admin mode
    If your Sumo role grants you the Manage Content capability, you can switch to Admin mode so that you can move content from one folder to another for anyone in your organization, and mark content “Admin Recommended”
  • Admin recommended 
    An area at the top of the Sumo Library in the Left-Nav that lists highlighted content. A Sumo user with the Manage Content capability can add content to the admin recommended list. 
  • Aggregate
    A group of data returned by a search, displayed in a simple table in the Aggregates tab of the Search page.
  • Amazon S3 Audit Source
    The Amazon S3 Audit Source, also called Server Access Logging, tracks and collects your Amazon S3 bucket's activity logs.
  • Apps
    Sumo Logic Apps (short for applications) deliver out-of-the-box Dashboards, reports, saved searches, and field extraction for popular data Sources, such as AWS, Windows, Apache, and many more. When a customer installs an app in Sumo Logic, preconfigured searches and Dashboards are customized with the customer's Source configurations and populated in a folder. Customers then can monitor their system's behavior visually using the Dashboards.
  • Autocomplete
    On the Search page of the Sumo Logic user interface, the search autocomplete drop-down dialog offers suggestions to make query writing easier. Suggestions include simple logic that offers common default queries, keywords, metadata terms, and search operators. The autocomplete dialog also includes links to Help topics for more information.


  • Blacklisted metric source  
    A metric source that Sumo has disabled because it has received too many unique time series. A blacklisted metric source will stop receiving data, and that data cannot be recovered.
  • Burst limit 
    To allow for spikes in metrics ingestion, Sumo applies a multiplier to your DPM limit to allow you send metrics at a higher rate, referred as your burst limit, before Sumo starts to throttle your metric sources.


  • Capability 
    In Sumo role-based access control (RBAC), you grant the users with a role the right to perform a particular function by assigning the corresponding capability to the role. For example, the “Manage Collectors” capability allows a user to install and manage installed and hosted Collectors and Sources. 
  • Carbon 2.0 
    A plaintext metric format in which metrics are identified by key-value pairs. In Carbon 2.0, the actual thing being measured is identified by intrinsic tags; additional metadata is provided in meta tags. Sumo’s HTTP source and Streaming Metric Source support Carbon 2.0 metrics.
  • Cloud
    The Sumo Logic Cloud is a secure, scalable repository for all of your operations, security, compliance, development, and other log data. The Sumo Logic Cloud stores, indexes, parses, and analyzes data, and provides unlimited horsepower with elastic scalability.
  • Collector
    Sumo Logic Collectors are lightweight applications that allow you to connect your environment to Sumo Logic in order to collect message data. There are two types of Collectors. Installed Collectors are configured on machines in your deployment for Sources such as Local File, Remote File, Syslog, Local Windows Event Logs, Remote Windows Event Logs, and Script. Hosted Collectors require no installation, and are used to collect data from various services like Amazon S3 or over HTTP and Syslog.
  • Content sharing
    A Sumo feature that allows you to share searches, dashboards, and folders with a user, a role, or combinations of the two. 


  • Dashboard
    Dashboards contain a collection of real time Panels that provide a graphical representation of your organization's data. Panels are created by running search queries. From the resulting data in the Search page's Aggregates tab, you can display that data using different types of charts. Once Panels are created, they are saved to a Dashboard.
  • Dashboard Theme
    In Dashboards, you can toggle the background color scheme from Light to Dark.
  • Data access level
    The data access level for a dashboard determines what data a user with whom the dashboard is shared can view in the dashboard.
  • Data Forwarding
    When enabled, the Data Forwarding feature allows Sumo Logic to upload data to an Amazon S3 bucket that belongs to your organization. Log messages are saved as CSV files in compressed gzip files. They are accumulated and returned right after being ingested by Sumo Logic.
  • Data Panel
    Panels are placed on Dashboards and provide a graphical representation of your organization's data. Data Panels are created by running search queries. From the resulting data in the Search page's Aggregates tab, you can display that data using different types of charts. Once Panels are created, they are saved to a Dashboard. See also, Text Panel.
  • Data Type
    A Data Type is a specific type of log used with a Sumo Logic Source or App, such as Apache, MySQL, or Windows IIS. You can also use a custom Data Type for a custom application.
  • Data Volume Index
    The Data Volume Index automatically provides data that allows you to understand your account’s data ingest volume in bytes and number of log messages processed overall. The Data Volume Index gives you better visibility into how much data you are sending to Sumo Logic, allowing you to proactively manage your systems’ behavior and to fine tune your data ingest with respect to the data plan for your Sumo Logic subscription.
  • Deployment
    Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created.
  • DPM 
    Stands for data points per minute. Metric data volume is measured in DPM. For example, a CPU metric reported on a single host every 15 seconds produces 4 DPM.


  • Endpoints
    Sumo Logic has several pods that are assigned depending on the geographic location and the date an account is created. Sumo Logic redirects your browser to the correct login URL and also redirects Collectors to the correct endpoint. However, if you're using an API you'll need to manually direct requests to the correct API endpoint; API calls are not redirected to another endpoint.
  • Exclude rule
    Exclude rules are a type of Processing Rule that specifies log messages that you don't want to send to Sumo Logic, think of it as a "blacklist" filter.


  • Favorite
    The Favorites tab displays searches and Dashboards that you refer to frequently, or content that you want to keep handy. In the Library, on the Personal and Org tabs, you can "favorite" content to make it appear on the Favorites tab. Just click the star icon for your saved search, Dashboard, installed app, or folder, and it will be saved to the Favorites tab for easy access. You can also favorite saved searches from the Search page, and favorite Dashboards from the Dashboards page.
  • Field Extraction
    Field Extraction can be set up as rules that parse out fields as log messages are ingested. This means that instead of running a query to parse out fields, that work is done automatically so when it's time to run a search the fields are already available in results.


  • Geo lookup
    Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map. To create the map the lookup operator matches parsed IP addresses to their physical location based on the latitude and longitude of where the addresses originated.
  • Group
    Group-by functions include count, count_distinct, sum, avg, stddev, max, min, last, and first. You can use "group" or "by" instead of "group by", so "count (*) group by user" is equivalent to "count by user". All group-by functions create a corresponding field preceded by an underscore, for example, _count.
  • Graphite 
    A  plaintext metric format where the thing you’re measuring is identified by a dot-separated string, referred to as a metric path. Sumo’s HTTP source and Streaming Metric Source support Graphite metrics.


  • Hash rules
    Hash rules replace a message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it's fully hidden.
  • Host Metrics
    The Sumo Logic app for Host Metrics allows you to collect local host metrics and display them using predefined search queries and dashboards. The app provides dashboards to display analysis of local host metrics for the CPU, disk, memory, network, and TCP.
  • Hosted Collectors
    Hosted Collectors don't require installation or registration, nor do Hosted Collectors have physical requirements, since they're hosted by Sumo in AWS.


  • If operator
    A ternary operator used to evaluate a condition as either true or false, with values assigned for each outcome. It is a shorthand way to express an if-else condition.
  • Include rule 
    Include rules are a type of Processing Rule that is used to send only the data you'd like in your Sumo Logic account (a "whitelist" filter). This type of filter can be very useful when the list of log data you want to send to Sumo Logic is easier to filter than setting up exclude filters for all of the types of messages you'd like to exclude.
  • Installed Collector
    Installed Collectors are deployed in your environment, either on a local machine, a machine in your organization, or even an Amazon Machine Image (AMI). Installed Collectors require a software download and installation. Upgrades to Collector software are released regularly by Sumo Logic.
  • Intrinsic tags 
    In Carbon 2.0-formatted metrics, intrinsic tags are the one or more space-separated key-value pairs that uniquely identify what is being measured. Intrinsic tags are also referred to as dimensions.


  • Library
    The Library provides a central location for shared and saved content in your Sumo Logic account, as well as content shared by others in your organization. In addition to shared and saved searches, Dashboards can be saved and shared in the Library. 
  • Limit operator
    Use the Limit operator to reduce the number of results returned.
  • Live Tail
    Sumo Logic Live Tail allows you to see a real-time live feed of log events associated with a Source or Collector. The live feeds can help you with development and troubleshooting. You can see all log messages as they come in, but they are not sorted as they are with Search.
  • Local Configuration File Management
    Local Configuration File Management allows you to set up and manage Sources on an Installed Collector using one or more JSON files.
  • LogCompare
    LogCompare allows you to compare a section of your log messages from one point in time with the same section at another point in time, and display the changes in patterns.
  • Log overlay 
    A Sumo feature you can use to run a log query on the metric query page and visualize the count of matching log messages on the metric chart.
  • LogReduce
    LogReduce uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website.
  • Logs-to-Metrics 
    A Sumo feature you can use to extract or create metrics from log data. You can extract metrics that are embedded in logs, or count logs as a metric.


  • Markdown
    Used in Dashboards, you can add Text Panels to include titles or text descriptions. Use Markdown syntax to add bold or italic formatting, bullet lists, code font, and other formatting. See Help for details.
  • Mask rule
    Mask rules are a type of Processing Rule that replaces an expression with a mask string that you can customize—another option to protect data, such as passwords, that you wouldn't normally track.
  • Messages tab
    When you run a search query, messages display in the Message tab in the lower half of the browser window of the Search page.
  • Metadata
    Data about other data. If the logs and metrics you ingest have associated metadata, you can leverage it for more targeted log searches and metric queries. Metadata for metrics includes both intrinsic tags and meta tags. Sumo features related to metadata include:   
    • Search metadata. Sumo applies search metadata fields, such as _sourceCategory and _sourceHost to the logs and metrics it ingests.
    • Sumo Logic AWS Metadata Source. This source collects tags from EC2 instances running on AWS and attaches the tags to metrics you collect.
    • Metric rules editor. This feature allows you to attach metadata derived from the metric identifier to metrics you collect.
  • Meta tags 
    In Carbon 2.0-formatted metrics, meta tags are the key-value pairs for a metric that  provide additional, but not identifying information about the thing being measured. A meta tag is a piece of metadata that might be useful in querying your metrics.  
  • Metric metadata change throttling 
    A Sumo feature that limits the number of times you can change the metadata for a metric to six changes per 24 hours. After you reach the limit of six changes per 24 hours for a particular metric, Sumo will stop updating the metadata for that metric. Sumo stops throttling and resumes metadata changes for the metric 24 hours after the first of those six metadata changes was made. 
  • Metric monitor 
    A Sumo feature that allows you to set a monitor on a time series to alert when the metric has crossed a static threshold, and then send an email or Webhook notification. 
  • Metric rules editor 
    A page in the Sumo web app for creating metric rules.
  • Metric rules 
    A Sumo feature that allows you to tag metrics with data derived from the metric identifier. Then, you can use those tags in metric queries.
  • Metric throttling 
    A Sumo feature that throttles your metric sources when you exceed your DPM burst limit. Your ingestion is slowed down until the rate of ingestion is within the allowable contracted limits.
  • Metric volume index 
    A Sumo index to which Sumo writes messages with information about the volume of metrics you are ingesting.
  • Microservices
    The microservices architecture enables you to structure applications as collections of loosely coupled services that are fine-grained, with protocols that are lightweight. Building applications using different smaller services improves modularity and provides for the continuous delivery and deployment of large, complex applications.
  • Multiline
    Log messages that span multiple lines are called multiline messages.


  • Panel
    Formerly Monitors. Real-time Panels provide a graphical representation of your organization's data. Data Panels are created by running search queries. From the resulting data in the Search page's Aggregates tab, you can display that data using different types of charts. Once Panels are created, they are saved to a Dashboard.
  • Parse operator
    The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent functions in the query such as sorting, grouping, or other functions. Parse options include "parse anchor" or "parse regex" for using regular expressions to form more complex parse queries. It is acceptable to use "parse" for "parse anchor", or "extract" for "parse regex".
  • Partition
    Sumo Logic allows you to filter a subset of the messages in an Index into a Partition. Partitioning messages in an Index improves search query performance, as the total number of messages that need to be searched is reduced. Once messages are routed to a Partition, you can limit your search to those messages using the Partition name in a search query.
  • Pinned searches
    The Pinned Search feature allows you to start a search, then “pin” it, so it will continue running in the background independent of the browser session. Then, you can close the Search tab or log out and find your results later in the Library on the Recent tab in a folder named Pinned Searches.
  • Processing rules
    A Sumo feature you can use to filter or forward log data ingested by Sumo from a Sumo source. You can use processing rules to include or exclude messages, and to mask or hash sensitive information in logs. You can also forward matching messages to external destinations, including AWS S3.


  • quantization
    The process by which Sumo aggregates raw metric data points over a particular time bucket. Similar to “timeslice” in logs, Sumo will automatically bucket your datapoints into quantization intervals based on the timerange of your search. For example, 5 second quantization intervals for a 15-minute search and 15 seconds for a 60-minute search.
  • quantize operator
    An operator you can use is metric queries to specify the size of the time buckets over which Sumo will aggregate metrics, and the aggregation method Sumo will use to quantize the data.


  • Receipt Time
    You can display search results in the order that the Collector received the messages in milliseconds.
  • RBAC
    Sumo Logic supports Role-Based Access Control (RBAC) to allow Administrators to customize system access. With RBAC, Administrators create roles for groups of users who perform various job functions. Users are not assigned permissions directly, but inherit permissions through roles (or even through a single role). Role assignments can grant users permissions to access some data sets, or can restrict users from accessing types of data.
  • Relative expressions
    Used in time range expressions, when setting the non-absolute time limits of a search. For example, -1d, -1d -12h, -12h -60m.
  • Role
    In Sumo role-based access control (RBAC), you grant users access to data and to Sumo functions using roles. You assign role capabilities and a role search filter to a role, and assign one or more roles to a user. 
  • Role search filter 
    A search filter for a role defines what log data a user with that role can access. You can define a search filter using keywords, wildcards, and selected Sumo metadata fields and logical operators.
  • Rollup tables 
    Metric data is stored in Sumo Logic as raw data points, and aggregated over   one minute and one hour resolutions. The one minute and one hour aggregated metrics are referred to as rollup tables. Raw data is retained for 7 days, one-minute rollups for 30 days and one-hour rollups for 13 months. 


  • SAML
    Sumo Logic supports self-provisioning of Security Assertion Markup Language (SAML) to enable Single Sign-On (SSO). In addition to basic SAML configuration, you can choose optional on-demand user creation (via SAML 2.0 assertions), and designate custom log in and/or log out portals.
  • Scheduled View
    A Scheduled View is a pre-aggregated index of a subset of data. After building a Scheduled View, you'll be able to run queries against that data set. Because the data is pre-aggregated, meaning that query you'll use to create a Scheduled View contains an aggregate function, search results return much quicker. Additionally, queries run against a Scheduled View cannot time out. Queries that run against Views can be used in scheduled searches, Dashboards, and in ad hoc searches.
  • Search Autocomplete
    See Autocomplete.
  • Search Templates
    Search templates simplify searches for users by providing easy to select input choices. You can have search templates replace any text in a query, including fields, keywords, and arguments to operators.
  • Service Whitelist Settings
    Service Whitelist Settings allow you to explicitly grant access to specific IP addresses and/or CIDR notations.
  • Single Value Chart
    A Single Value chart is useful for displaying the results of a query that returns only a single value or record, in order to make that value stand out at a glance. If the query returns more than one value in the Aggregation tab, only the first value is displayed in the Single Value chart.
  • Sort operator
    The Sort operator orders aggregate search results.
  • Sources
    Sources are configured on Sumo Logic Collectors and collect customer data.
  • Support Account
    Administrators can decide to enable a Sumo Logic support account, which grants very select Sumo Logic support agents access to your organization's account, better helping those agents to resolve issues that arise. Admins can choose to keep the Support Account enabled full-time, or the account can be disabled when no issues are being investigated.


  • Text Panels
    Used in Dashboards, you can add Text Panels to include titles or text descriptions. See also Markdown.
  • Throttling
    Slows the rate of ingestion across all Collectors in an account to not exceed the allowable rate. 
  • Time series 
    A set of timestamped values of a specific measurement. 
  • Timeslice operator
    Timeslice segregates search results by a time period, or by a number of buckets over a search's time range.
  • Transaction operator
    Groups logs in a sequence by referencing a unique identifier in your logs and parsing out meaningful states of the transaction. Results can be returned by the transactions themselves, states, or flow (latency). A flow chart is available when returned by flow.
  • Transactionize operator
    Groups logs that match on any fields you specify. Unlike other group by operators, where the logs in a group must match on all defined fields, transactionize just needs one field to match in order to assign logs to the same group.


    The file is used to pass Collector parameters for some installation methods.


  • Web Application
    The Sumo Logic product is officially called the Sumo Logic Web Application. The Sumo Logic Web Application allows customers to view and analyze your log data in the cloud, and provides access from anywhere since it is fully browser based.
  • Where operator
    A conditional operator that can precede or follow another operator. Example combinations include "where x matches y", "where x in (a, b, c)", "where x not in (a, b, c)" and "where a > 1 and b / 4 < sqrt(x)".