To create a Partition in an Index, you will create a routing expression, which is a kind of query. A Partition routing expression can take anything in a regular search query up to the first pipe—in other words, the search constraints. Partitions must be named alphanumerically, with no special characters. The query can include wildcards, but it cannot include any parsing or search operators.
Create Partitions for use cases that are not too general. The idea is to use Partitions in an Index to restrict your search for security and in order to improve search performance. If you create a Partition for a very general use case, it would still work, you just wouldn’t benefit as much from increased performance.
When designing Partitions, keep the following in mind:
- Avoid using queries that are subject to change. In order to benefit from using Partitions, they should be used for long-term message organization.
- Make the query as specific as possible. Making the query specific reduces the amount of data in the Partition, which increases search performance.
- Keep the query flexible. Use a flexible query, such as
sourceCategory=*Apache*, so that metadata can be adjusted without breaking the query.
- Group data together that is most often used together. For example, create Partitions for categories such as web data, security data, or errors.
- Group data together that is used by teams. Partitions are an excellent way to organize messages by role and teams within your organization.
- Avoid including too much data in your Partition. Aim to send 2% to 20% of your data to a Partition. Including 90% of the data in your index in a Partition won’t improve search performance.
Create a Partition
- In the Sumo Logic Web Application, choose Manage > Indexes.
- On the Partitions tab, click the Add button.
- In the Create an Index dialog, enter the following:
- Index Type. Select Partition.
- Index Name. Enter a name that you'll use to search the data in a query. It's important to use a name that is descriptive and easy to remember. Names can be comprised of alphanumeric characters; underscores( _ ) are the only special characters allowed.
- Routing Expression. Enter the routing query for the Partition, which consists, generally, of the Source Category of the data you'd like indexed in the Partition. The routing query can include wildcards, but it cannot use any parsing or search operators. Also, empty strings are not supported.
- Retention Period. Enter the retention period for this Partition, if you want it to be different from the General Index. Otherwise, select the check box Apply the retention period of the General Index. (You must select a retention period for the Create button to become active.)
- Caching. Select this check box to cache the data of this Partition.
- Enable Data Forwarding. Select this check box to forward the data in this Partition to an S3 bucket.
- Click Create.
The new Partition is added to the list and begins to index data as soon as you create it. Allow a few hours for the indexing to complete. If you've chosen to index a large amount of data, it could take a bit longer.