Creating a Partition allows you to improve search performance by searching over a smaller number of messages. After routing messages to a Partition, you can limit your search by using the Partition name in a search query.
Partitions ingest your messages in real time. Partitions differ from Scheduled Views in that Partitions don’t backfill with aggregate data. They begin building a non-aggregate index from the time the Partition is created and index only the data moving forward. Scheduled Views backfill with aggregate data, meaning that all data that extends back to the start date of the View query is added to the View.
To define Partitions use simple search expressions, also called routing expressions. The routing expression is applied to all incoming messages as they enter the system. If the filter matches the message, it’s added to the Partition.
With multiple Partitions, messages are duplicated. For some Sumo Logic account types, the additional data counts against the data volume quota. See Sumo Logic account type and Manage Ingestion.
- To create a Partition you must be an Admin or you must have the Manage Indexes Role Capability.
- There is a limit of 50 Partitions per account.
- Once they are created, Partitions cannot be edited or deleted, and Partition names cannot be reused. This is due to the fact that a Partition may include log messages that are not stored anywhere else, and if the Partition is deleted, the log messages will be lost. But if it is no longer needed, a Partition may be decommissioned.