During collection, raw messages are broken into individual keyword terms, or groups of characters. These individual terms are defined by detecting boundaries around the characters found within the message, including white space, dashes, commas, question marks, exclamation points, brackets, and more.

A phrase is any text with these boundaries.

So given this sample message:

2013-08-13 21:25:15,456 98765432 [com.test.services.test.TESTClientImpl] TEST Request:id=1234567 TEST1234567

Sumo Logic indexes each value separately, 2013, 08, 13, 21, 25, 15, 456, 98765432, com, test, services, test, TESTClientImpl, TEST, Request, id, 1234567, and TEST1234567.

The special characters were not included in the above list for simplification, but those would also be indexed as separate keywords.

To search for messages that include any of the previously indexed values, you need to provide keywords in your query that specifically match those terms. Boolean logic and wildcards enable you to search for multiple terms, express logic about term distribution within messages, and specify partial terms with wildcards: use an asterisk (*), for zero or more characters, or a question mark (?) for a single character. Keywords are case insensitive.

Examples: 

  • TEST* - finds "test", "TESTClientImpl", "TEST" and "TEST1234567"
  • test - finds "test" and "TEST" 
  • 456 - finds "456" 
  • *456* - finds "456", "1234567" and "TEST1234567"

If you enter a phrase, or series of keywords, such as an email or IP address, the Sumo Logic search engine looks for the individual indexed terms that appear next to each other.

You can use a wildcard to represent one full term: jsmith@*.com

but not a partial term: jsmith@some*re.com

The wildcard (*) will only represent one individual full term between supplied values, so if additional terms exist between the defined values, the search will return no results.

For example, the keyword com*services will not find the message, because there are periods attempting to be represented by the wildcard. If you change it to have the periods, com.*.servicesthe query will return our message, as the * only indicates the individual term of test.

To search for multiple keyword values in a message, the best practice is to break the keywords into multiple terms. To do this, simply add a space between the terms. When you do this, Sumo Logic will imply an "AND" condition to the keyword search. For example, searching com services will search for com AND services.