Skip to main content
Sumo Logic

Lab 15 - Logs-to-Metrics

Convert your logs to metrics for improved performance, retention, and alerting.
Logs-to-Metrics is a feature which extracts metrics from logs. Because logs can generate time-series charts on their own, this is not a necessary step. However, extracting metrics from logs reduces the need to re-query unstructured data to generate a chart. As a result, the chart’s runtime, performance, retention, and alerting capabilities are improved.

For this lab, we’re going to extract the total number of Apache access log messages with a status code of 404 using a Logs-To-Metrics rule, and show the extracted data in the metrics view. To do this:

  1. Go to Manage Data > Settings.

  2. Select the Logs-to-Metrics tab.

  3. Click the + icon to create a new rule.Image of navigation to Logs-to-Metrics operator.

  4. On the Edit Logs-To-Metric Rule page, give the rule a name.

  5. For the scope, enter: _sourceCategory=Labs/Apache/Access

  6. For the Parse Expression, use: parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" | where status_code=404clipboard_e4b3ab69986e328d4ff99e5c461a95db8.png

  7. Ensure results exist in the Preview Parse Expression window. No returned results means there are no metrics to extract.Image of results preview.

  8. For Metrics and Dimensions, you can select any field by which you want to slice and dice the data. Just remember, only one Metric can be selected and must be a numerical value. You may also use the number of resulting messages from the Parse Expression query as the Metric, which we’ll show in our example. The Dimension selection will help to aggregate the results for a given metric. For now, select the src_ip checkbox from the dimensions column. For the Metric, we’re going to use the Count the number of log messages toggle. This will make the “metric” the number of returned messages resulting from the Parse Expression query entered before.

  9. Toggle Count the number of log messages.
  10. Give the metric any name you would like. Be sure to remember this name, as you will be using it in a future step.clipboard_e3a108f686e2ab55607d9e9e54758225c.png

  11. Click Save

Your Metrics rule is now created and generating results in real time. Let’s verify the metric is extracting the correct metrics:

1. Create a new Metrics search

2. In the metric query field, enter:

metric=”<The name of your metric>” | sum  

As you may have guessed, be sure to replace <The name of your metric> with the name you entered a few steps ago.​​​

​​​​

3. Press enter/return to start the metric search and verify the results.