Skip to main content
Sumo Logic

Lab 9 - Getting metrics from logs

This labs teaches you how to convert logs to metrics, which applies advantages of metrics applied to log data.
This lab will cover the creation of a Logs-to-Metrics rule to extract metrics out of your logs. The goal is to yield the size of your messages over time using status dimensions.  

Within Sumo Logic, you can create metrics from your logs as you ingest them.  This feature is called, Logs-to-Metrics and we will see this is done in this lab.

  1. From the Main Menu in the Navigation pane, Click Manage Data > Metrics

  2. Select Logs-to-Metrics.

  3. To create a new rule, on the far right click the + icon.clipboard_e0b1894e7eaea73e32d796f0eafadbd95.png

  4. In the Parse Log Messages panel, give the rule a name.

  5. For the scope, enter:

    _sourceCategory=Labs/Apache/Access

  6. For the Parse Expression, use: 

    parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" 


This regular expression statement is going to parse out method, referrer, size, src_ip, status_code and url from our incoming logs. 

  1. Ensure results exist in the Preview Parse Expression window. No results mean there are no metrics to extract.

    step7.png
    Of these fields, only status_code and size are numeric and are potential candidates for metrics.  However when you look at status_code, this is not something we want to aggregate or treat like a metric, it is actually dimensional in nature, which means we can use it to qualify the size metric which can be aggregated and is a true metric. 

  2. For Metrics and Dimensions, Metric is the numeric value you want to calculate overtime, and Dimensions are any fields by which you want to slice and dice your data.

    • For Metrics, select size

    • For Dimensions, select status_code

    • Click on Estimate DPM to calculate the Data Points Per Minute you will generate with these metrics. This helps you understand what is your cost of generating and storing this new metric.

      step8.png

  3. Click Save. Your rule is now generating metric results in real-time.

  4. To verify your new metric, create a new Metrics search and run the following queries:

_contentType=MetricFromLog metric=size status_code=200

clipboard_e11857abe034cdb84627ac325151214ff.png

This simple query yields the size of your messages over time for those with a status_code of 200 

11. Add the following to your query | avg

clipboard_e9e755ca9b5fceb4df4fbe4c98c5f37a8.png

This second query yields the average size of your messages by status_code 

12. Select Chart, your results should look similar to this: 

clipboard_ee744a7517b4c2354cb1ee3b9a427fdfb.png

Nicely done, in this lab you have created metrics from log and then created a query to see the results.  Now let's look ahead to creating metric alerts in the next lab.