Skip to main content
Sumo Logic

save Operator

The save operator saves the results of a query into a file. You can use the lookup operator to access the saved data.

The save  operator allows you to save the results of a query to a lookup table you created you have already created, as described in Create a Lookup Table. You can use the lookup and cat operator to access the saved data.

You can use the append option with save to merge new and changed rows into a lookup table. If you use save without append, any existing rows in the lookup table will be overwritten by your search results. 

If your lookup table is configured with a time-to-live (TTL), creating or updating a row sets or resets the TTL for that row.   

Either raw or aggregated results can be saved with the save operator.

Syntax 

save [append] path://”<path-to-table>”  

where: 

  • path-to-table is the path to the lookup table in the Sumo Logic Library.

To determine the path to a lookup table, highlight the row for the table in the Sumo Logic Library, and select Copy path to clipboard from the three-dot more options menu for the table.

Rules 

  • Your search schema must exactly match the schema of the lookup table you are writing to. Make sure your search returns all of the fields defined for the lookup table and no additional fields.
  • You cannot create a lookup table with the save operator. You must first create a lookup table, as described in Create a Lookup Table
  • The file size limit for lookup tables is 100 MB.
  • Queries that use the save operator cannot be pinned.

Examples 

Using save without append

This example saves search results data about new user accounts to the lookup table on Sumo Logic  .

| parse "name=*," as name
| parse "action=*," as action
| parse "date=*," as date
| where action="sign-up"
| first(date) as date, first(action) as action by name
| save path://"/Library/Users/myusername@sumologic.com/Users"

The above search would populate the lookup table to have these rows:

Name Action Date
John sign-up 2012-08-20
Bill sign-up 2012-08-21
Bob sign-up 2012-08-21

Using save with append

You can use the append option to add rows to a lookup table and to update existing rows. For example, you could run a scheduled search once a day and use save append to merge new and changed rows into the table. If a row in your search results has the same primary key as a row in the lookup, the lookup table row will be updated. If the primary key in a row in the search results does not match a row in the lookup table, the new row will be added to the lookup. Note that the search results schema must match that of the lookup table. If the search results fields do not match the lookup table fields, the append will fail.

Let's say that you'd like to append your lookup file each day by scheduling this search to run every 24 hours:

| parse "name=*," as name 
| parse "action=*," as action 
| parse "date=*," as date 
| where action="sign-up" 
| first(date) as date, first(action) as action by name 
| save append path://"/Library/Users/myusername@sumologic.com/Users"

Each day the query runs and the new and changed rows are written to the table.

You can also append data to a saved file from different queries. For example, say we have two sources, "bill" that includes billing information, and "config" that contains account information, and we'd like to be able to search for some values from each source. These searches would populate a table with information from both sources:

_source=bill | parse "user_id=*," as name
| parse "user_email=*," as email
| save path://"/Library/Users/myusername@sumologic.com/Users"
_source=config | parse "_user=[*]" as name
| parse "contact_info=[*]" as email
| save append path://"/Library/Users/myusername@sumologic.com/Users"