Skip to main content
Sumo Logic

Lab 6 - Filter Time Series using advanced query mode

  1. Last updated
  2. Save as PDF
This lab teaches you to filter and aggregate to limit your search to the data you need.
Getting into Advanced Query Mode

For Labs 6-10, you are going to use the advanced query mode in the Metrics panel.  To do this, on each query you want to switch to advanced query mode, click on the three dots in a vertical line at the far right of the query line and select Advanced Mode as shown below.

  1. To visualize your data, click New in the tab bar and select Metrics.

clipboard_e9c1cf5d6f9855af160779513ca2c0a0a.png
This will open a new Metric query in basic mode.  Ensure it is in Advanced Mode, by clicking below as necessary: In your next query will fill use the filter statement and in order to use that statement, you will need to be in advanced metric query mode. 

clipboard_e7e586ff1dc614130e2f2a365f15d841f.png

Once you have switched to Advanced Mode, your query display will look like this and you can type in your metric or log query directly. This is what your interface should look like:

clipboard_e6f82a702ec699e7661fbb386e1006580.png
The difference between Basic and Advanced Query modes where discussed in the last lab.  Additional information can be found here.

Creating Filter Time Series and other operators

When you want to filter metrics, you can use a mathematical expression in your query to combine aggregate functions, comparison and boolean operators, and numerical values to help limit your search to the data you need.

You can use the following metrics operators to filter a time series:

  • topk -  take the top X time series

  • bottomk - take the bottom X  time series

  • filter - take a specific math function of a time series (max, min, avg, sum)

For this lab we will use the filter operator to look at the CPU_Sys metrics associated with our device.

  1. You can identify the metadata fields available by using the inline search ahead next to Metric  


clipboard_ef1c52c2d6759b52bf1e32dec929af950.png

We could select _contentType=  and then select the specific content type we are looking for

  1. Select _contentType= and then select hostmetrics as shown below:

clipboard_ee9bdf8b47967f8043cd9885b28c0c143.png

Complete this query by adding the source category of your computer's host metrics and specifying the metric of CPU_Sys.  Hint:  _sourceCategory=hostmetrics/<your initials> metric=CPU_Sys
Note: the CPU_Sys provides information about the CPU utilization by your core operating system. 

Using the filter operator you can reduce down your time series. 

For example:

_contentType= HostMetrics _sourceCategory = hostmetrics/<your_initials> metric=CPU_Sys

Please note that depending on your host thresholds for your filter may vary. Try this first without the filter statement and then add the filter, and adjust to see your data results. 

1. Now add the | filter min > 0 and max < 10 as shown below:

clipboard_e9c5fd6b5811222396d5822abeea18135.png

2. Select Chart and your result should look similar to this:
clipboard_e7b7dcd5f8786c3b795c44ab31ca21128.png

This helps you focus on areas of interest in your metrics data, and remove the additional “noise” of less important data. For example, to see only those CPU metrics where the average over the query time range is greater than 95:

metric=CPU_Sys | filter avg > 95

step2b.png

Congratulations - you have created queries in the advanced query mode and seen how to use the filter statement.  Well done!!!