Skip to main content
Sumo Logic

Lab 6 - Compare Activity from Different Periods

Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline.
Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline. In this case, use LogCompare to identify when signature messages deviate by more than 25% from the baseline.

 

  1. First, review summarized signatures for Snort messages in the last 60 minutes (Use LogReduce)

_sourceCategory=labs/snort

| logreduce

  1. Now use LogCompare to run a summarized query for a baseline 24 hours ago (Click on LogCompare button)

_sourceCategory=labs/snort

| logcompare timeshift -24h

  1. To view only those results where Delta Percentage is more than 25%, add a where clause for _deltaPercentage, which is one of the hidden fields available.

_sourceCategory=labs/snort

| logcompare timeshift -24h

| where abs(_deltaPercentage) > 25

  1. To view results where there is a new Signature in the current time period, add a where clause for _isNew:

_sourceCategory=labs/snort

| logcompare timeshift -24h

| where (_isNew)