Skip to main content
Sumo Logic

Tutorial Step 4: Build a Search Query (deprecated)

Now, let’s go back to the Search page. Here, we’ll use a keyword search and parse the log messages to build a search query.
  1. Click Search on the main Sumo Logic menu.
  2. In the Apache tab, the default query _sourceCategory="Apache/Access" is already run for you and displays results in the Messages pane.
  3. From here, let’s search for all log messages within that Source Category that include the keyword GET.
    1. In the search query box, add to the query:
      and GET 
      And here's our new query:

      _sourceCategory="Apache/Access" and GET

      Keywords are case insensitive. You can also select keywords from the autocomplete menu that appears when you type.
    2. To select a time range, you can select a pre-configured time range from the drop-down menu, enter a relative time range such as -1d to -12h, or enter an absolute time range, such as 10/08/2015 11:00AM to 10/08/2015 11:00PM. For our purposes, let's select Last 60 Minutes from the drop-down menu.
    3. Click Start.
    4. Now in the Messages tab, notice that our keyword GET is highlighted, and the number of pages found is displayed.
  1. Let’s parse our logs for information after the GET and build a new query. We’ll parse for URL, status code, size, and referrer. (Your first search result may not be exactly the same, but that's OK.)
    1. In the first result message, select GET and everything after that, including the URL, the status code, the size, and the referrer.
    2. From the menu that appears, select Parse the selected text.
    3. The Parse Text dialog is displayed. Here you can select text to be parsed and replaced by fields. These will be added to the search box to build your query.
    4. First, highlight the URL and select Click to extract this value.
    5. In the Fields box, enter url and a comma to separate the values.
    6. Next, highlight the status code 200 and select Click to extract this value.
    7. In the Fields box, add status_code and a comma. Following best practices for naming, use an underscore to connect the words to name the field.
    8. Next, highlight the file size and select Click to extract this value.
    9. In the Fields box, enter size and a comma.
    10. Finally, highlight the referring URL, but not the quotation marks that surround it. Select Click to extract this value.
    1. In the Fields box, add referrer, and click Submit.
  2. You’ll see that the information we parsed for has been added to our query. You could have typed into the search box yourself, but using the Parse Text dialog is an easy way to build a query without having to remember the syntax. So now our query is:

    _sourceCategory="Apache/Access" and GET | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer

  3. For best practices, let’s clean up the query by moving everything after the pipe to a new line by adding a soft return. So it now looks like this:

    _sourceCategory="Apache/Access" and GET
    | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer

  4. Click Start to run the query.
  5. In the Messages pane, you’ll see that the fields that you parsed for are now extracted from the raw messages: referrersizestatus_code, and URL. The Message text is still available as well.

Next, let’s build out this query using aggregation statements to count and order our results, and use that query to visualize our data by making a chart.