Skip to main content
Sumo Logic

Lab 10 - Compare Activity from Different Periods

Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline. In this case, use LogCompare to identify when signature messages deviate by more than 25% from the baseline.

 

  1. First, review summarized signatures for messages with 404 status in the last 15 minutes (Use LogReduce)

_sourceCategory=Labs/Apache/Access and status_code=404

| logreduce

  1. Now use LogCompare to run a summarized query for a baseline 24 hours ago (Click on LogCompare button)

_sourceCategory=Labs/Apache/Access and status_code=404

| logcompare timeshift -24h

  1. To view only those results where Delta Percentage is more than 25%, add a where clause for _deltaPercentage.

_sourceCategory=Labs/Apache/Access and status_code=404

| logcompare timeshift -24h

| where abs(_deltaPercentage) > 25

  1. To view results where there is a new Signature in the current time period, add a where clause for _isNew:

_sourceCategory=Labs/Apache/Access and status_code=404

| logcompare timeshift -24h

| where (_isNew)