Skip to main content
Sumo Logic

Lab 6 - Compare Activity from Different Periods

Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline.
Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline. In this case, use LogCompare to identify when signature messages deviate by more than 25% from the baseline.

 

  1. First, review summarized signatures for labs/Snort messages in the last 60 minutes from a LogReduce

_sourceCategory=labs/snort

| logreduce

  1. Now use LogCompare to run a summarized query against a baseline that occurred 24 hours ago 

_sourceCategory=labs/snort

| logcompare timeshift -24h

  1. To view only those results where Delta Percentage is more than 25%, add a where clause for _deltaPercentage, which is one of the hidden fields available.

_sourceCategory=labs/snort

| logcompare timeshift -24h

| where abs(_deltaPercentage) > 25

  1. To view results where there is a new Signature in the current time period, add a where clause for _isNew:

_sourceCategory=labs/snort

| logcompare timeshift -24h

| where (_isNew)