Skip to main content
Sumo Logic

Lab 9 - Compare Activity from Different Periods

This lab teaches you how to use the LogCompare operator to compare log activity from two different time periods.
Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline. In this case, use LogCompare to identify when signature messages deviate by more than 25% from the baseline.

 

  1. Use LogCompare to run a summarized query for a baseline 24 hours ago, for the last 60 minutes.

_sourceCategory=Labs/Apache/Access and status_code=404

| logcompare timeshift -24h

  1. To view only those results where Delta Percentage is more than 25%, add a where clause for _deltaPercentage.

_sourceCategory=Labs/Apache/Access and status_code=404

| logcompare timeshift -24h

| where abs(_deltaPercentage) > 25

  1. To view results where there is a new Signature in the current time period, add a where clause for _isNew:

_sourceCategory=Labs/Apache/Access and status_code=404

| logcompare timeshift -24h

| where (_isNew)