Skip to main content
Sumo Logic

Lab 2 - Simple Parsing, Grouping, and Filtering

  1. Last updated
  2. Save as PDF
Learn basic operators to parse and group your search results.
Learn basic operators to parse and group your search results.

 

  1. Search CloudTrail logs to identify the top 10 IP addresses for the US West Region.

_sourceCategory=Labs/AWS/CloudTrail

// You can use the json operator on json-formatted logs and then filter on the us-west-1 region using where

| json "awsRegion"

| where awsregion="us-west-1"

// You can use a mix of parsing operators in the same query and using count group the ip addresses 

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count by ip_address

| top 10 ip_address by _count

 

  1. You can chart your results by choosing any of the available charting options. Below we chose the circle graph by clicking on the circle graph icon.

  1. To see the details as above, you can either zoom out, or just click on the gray arrow just above the Add to Dashboard

Screen Shot 2020-02-26 at 9.18.55 PM.png