Skip to main content
Sumo Logic

Tutorial Step 5: Aggregate Results and Create a Chart (deprecated)

Let’s find out more about these status codes.

What kind are you getting? Are your 404s all happening at once? We can do this by adding aggregation statements to our query that will help us group and order the data, so the results are much easier to read.

  1. First, let's count how many of each status code we get.

    1. In the search query box, to add a new line, enter a soft return. Then add the count statement:
      | count by status_code

      So now our query looks like this:

      _sourceCategory="Apache/Access" and GET
      | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
      | count by status_code

       
    2. Click Start.
    3. Next to the Messages tab, notice the new tab called Aggregates. Here we see the status_code and the _count broken out into a simple table.
  1. Now let’s find out when those status codes happened. We can use the timeslice  operator to find out and count the status codes over time in one-minute increments.
    1. Above the count operator, add a new line:
      | timeslice 1m
    2. Edit the count operator to read:
      | count by _timeslice, status_code

      So now our query is:

      _sourceCategory="Apache/Access" and GET
      | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
      | timeslice 1m
      | count by _timeslice, status_code

       
    3. Click Start to search.
    4. Now the Aggregates tab shows each status_code and the _count, or how many times the status codes occurred. But it's not in chronological order. 
  2. Let’s show the results in chronologically ascending order. (The default is descending order):
    1. Under the count statement, add a new line in the search query:
      | order by _timeslice asc

      Now our query reads:

      _sourceCategory="Apache/Access" and GET
      | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
      | timeslice 1m
      | count by _timeslice, status_code
      | order by _timeslice asc

       
    2. Click Start.
    3. Now the results are displayed in chronological order.
  3. This result is better, but we can make it even easier to read. It would be great if we could see a transpose, similar to Excel. We can do that using the transpose operator.
    1. Under the order statement, add:
      | transpose row _timeslice column status_code

      Now our query reads: 

      _sourceCategory="Apache/Access" and GET
      | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
      | timeslice 1m
      | count by _timeslice, status_code
      | order by _timeslice asc
      | transpose row _timeslice column status_code

       
    2. Click Start.
    3. Now in the Aggregates table, each status code is broken out as the column, and the count of each status code in its timeslice is the row.
  4. Much better. But, from here, Sumo Logic can create something even easier to read. Let’s visualize our data by making a chart.
    1. There are many chart options that would work for our results, as shown by the available chart buttons displayed in the top right of the Aggregates tab. From here we can make a bar, column, line, area, or a pie chart.
    2. Let’s create a column chart. Click the Column Chart button.
    3. This is good, but the 200 status codes are dominating the chart. We can remove them by clicking the 200 item in the legend to the right. Let’s remove the 304 events as well.
    4. Now the 200 and 304 events are greyed out in the legend.
  5. What if you wanted to get rid of the 200s and 304s permanently from the query? To do this, you can add a where clause.
    1. Above the timeslice line, add:timeslice line, add:
      | where !(status_code=200 or status_code=304)

      Now the query reads:

      _sourceCategory="Apache/Access" and GET
      | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
      | where !(status_code=200 or status_code=304)
      | timeslice 1m
      | count by _timeslice, status_code
      | order by _timeslice asc
      | transpose row _timeslice column status_code

       
  1. The exclamation point is used as a NOT. So this statement means, "where the status code is NOT 200 or 304".
  2. Click Start.
  3. Now you can see that the 200 and 304 status codes no longer appear in the chart or legend.

Now that you’ve created a chart, you can save it as a Panel in a Dashboard, and share that Dashboard with people in your organization.