Skip to main content
Sumo Logic

Lab 9 - Logs to Metrics

This lab will cover the creation of a Logs-to-Metrics rule to extract metrics out of your logs. The goal is to create a metric called Size to measure it over time.
 

  1. Go to Manage Data > Settings.

  2. Select the Logs-to-Metrics tab.

  3. Click the + icon to create a new rule.

    step3.png

  4. On the Edit Logs-To-Metric Rule page, give the rule a name.

  5. For the scope, enter:

    _sourceCategory=Labs/Apache/Access

  6. For the Parse Expression, use: 

    parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" 


     step6.png

  1. Ensure results exist in the Preview Parse Expression window. No results mean there are no metrics to extract.

    step7.png

  2. For Metrics and Dimensions, Metric is the numeric value you want to calculate overtime, and Dimensions are any fields by which you want to slice and dice your data.

    • For Metrics, select size

    • For Dimensions, select status_code

    • Click on Estimate DPM to calculate the Data Points Per Minute you will generate with these metrics. This helps you understand what is your cost of generating and storing this new metric.

      step8.png

  3. Click Save. Your rule is now generating metric results in real-time.

  4. To verify your new metric, create a new Metrics search and run the following queries:

  • metric=size status_code=200

This simple query yields the size of your messages over time for those with a status_code of 200 

  • metric=size | avg by status_code

This second query yields the average size of your messages by status_code