Skip to main content
Sumo Logic

Lab 9 - Getting metrics from logs

This labs teaches you how to convert logs to metrics, which applies advantages of metrics applied to log data.
This lab will cover the creation of a Logs-to-Metrics rule to extract metrics out of your logs. The goal is to create a metric called Size to measure it over time.  
  1. Click Manage Data > Metrics
    clipboard_e0b1894e7eaea73e32d796f0eafadbd95.png

  2. Select Logs-to-Metrics.

  3. Click the + icon on the far right to create a new rule.

  4. On the Edit Logs-To-Metric Rule page, give the rule a name.

  5. For the scope, enter:

    _sourceCategory=Labs/Apache/Access

  6. For the Parse Expression, use: 

    parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" 


     step6.png

  1. Ensure results exist in the Preview Parse Expression window. No results mean there are no metrics to extract.

    step7.png

  2. For Metrics and Dimensions, Metric is the numeric value you want to calculate overtime, and Dimensions are any fields by which you want to slice and dice your data.

    • For Metrics, select size

    • For Dimensions, select status_code

    • Click on Estimate DPM to calculate the Data Points Per Minute you will generate with these metrics. This helps you understand what is your cost of generating and storing this new metric.

      step8.png

  3. Click Save. Your rule is now generating metric results in real-time.

  4. To verify your new metric, create a new Metrics search and run the following queries:

  • Metric size status_code=200
    Screen Shot 2020-09-24 at 8.47.39 AM.png

This simple query yields the size of your messages over time for those with a status_code of 200 

  • Metric size status_code=* average
    Screen Shot 2020-09-24 at 8.54.19 AM.png

This second query yields the average size of your messages by status_code