Skip to main content
Sumo Logic

Search Audit Dashboards

Search Audit app provides searches and dashboards to help you analyze your current capacity.

Search Audit - Current Capacity Usage Overview

Begin your search audit with a high-level view of your current capacity. Understand the capacity you’re currently using, the total number of searches you’ve performed for that time, and identify the biggest users of your capacity as well as the biggest queries you’re currently running on your account.

CapacityUsageOverview.png

  • Capacity Used Ratio. Displays the capacity your organization is using as of 15 minutes ago. Your capacity is fixed at a particular limit, based on your account. Anything over that fixed limit will have some impact on performance.

  • Number of Searches. Total number of searches in the last 15 minutes.

  • Capacity by User. Pie chart displaying users over the last 15 minutes and the percentage of capacity they use. This chart is provided as a high-level view. Click it to drill down to a more detailed dashboard, Search Audit - Users and Queries.

  • Capacity by Query Type. Pie chart showing the queries run over the last 15 minutes and the percentage of capacity they use. This chart is provided as a high-level view. Click it to drill down to a more detailed dashboard, Search Audit - Users and Queries.

  • Search Concepts. Text panel explaining how your Sumo Capacity (Compute) is a combination of scan and retrieve. While your Capacity is fixed, you can use Search Audit to identify areas to improve your overall usage.

Search Audit - Users and Queries

Drill down on users and the queries that they run and see what takes up most of your capacity.

SearchAuditUsersandQueries.png

  • Capacity Usage (GB) by User. Displays the top 10 users by the percentage of your capacity they used in the last 15 minutes and compares them to all the other users in your account as a pie chart. Use this to understand if there’s a particular user or users that are taking up an unusual amount of capacity.
  • Capacity Usage (GB) by User and Query Type. Displays a bar chart of the top 10 users of your capacity and the queries they are currently running compared to all other users and the query types that they are running.
  • Capacity Usage by Top 10 Users. Displays a bar chart to compare the capacity used by your top 10 users to the capacity baseline for your account. Use this to see if your top 10 users are going over capacity or there are capacity issues in general for your org in the last 15 minutes.
  • Capacity Usage (GB) by Scanned and Retrieved. Displays capacity used by your top 10 users compared to all other users in your account for the last 15 minutes as a bar chart where usage is broken down by capacity spent on data scanning and data retrieval. See which users are spending their capacity retrieving data. Use this information to determine if you can make their future searches more efficient.
  • Queries by Consumption in 15 Mins. Displays a detailed aggregation table of the queries that consumed the most capacity in the last 15 minutes and includes more detailed information on:
    • Username of the person who ran the query
    • Session id of the query ID
    • Type of query
    • Query text
    • Time range of the query
    • Duration of the query
    • Capacity used in GB
    • Percent of capacity used
    • Capacity spent scanning data in GB
    • Capacity spent retrieving data in GB 

Search Audit - Query Characteristics and Opportunities to Improve

Understand which of your queries take advantage of important terms and metadata to improve efficiency and those that don’t.

QueryCharacteristicsandOpportunitiestoImprove.png

  • Search Considerations. Displays key information on what search optimization techniques are available to you.

  • Queries by Optimization Techniques. Displays a table of the queries using optimization techniques such as partitions, keywords, and other metadata, and divides them by how many techniques are used in the query.

  • Capacity Used (GB) by Optimization Techniques. Displays a pie chart of the capacity used by search optimizations. See how much of your capacity is used by

  • Popular Indices and Views Referenced by Queries. Displays a pie chart of the most popular indices and views by query for the last 24 hours.

  • Popular Source Categories Referenced by Queries. Displays a pie chart of the most popular source categories by query  for the last 24 hours.

  • Popular Metadata Referenced by Queries. Displays an aggregation table of the popular metadata used in the last 24 hours. You can see the name, value, count, and percentage of total queries that used that metadata.

Search Audit - Capacity Usage Over Time

Drill down from your Capacity Usage dashboard to see your capacity use for a longer period of time, such as the last day, week, or month so that you can adjust your capacity quota as needed.

CapcityUsageOverTime.png

  • Daily Capacity Used. Displays the total daily capacity usage divided by daily quota. Use this number to understand you overall capacity use for the past day.

  • Search Capacity Usage (GB). Displays a bar chart of your capacity used for the last 24 hours, compared to the baseline of your capacity limit. Use this chart to identify spikes in your capacity usage.

  • Capacity Used by Query Type. Displays pie chart of how your users have been searching for the last 24 hours, broken down by the type of queries you are using, and can include:

    • Anomaly Detection

    • Interactive Search

    • Interactive Dashboard

    • Search API

    • Scheduled Search

    • View Maintenance

  • Capacity By Usage. Displays a bar chart of the capacity used over the last 24 hours, time sliced every 15 minutes, compared with the baseline of your actual capacity during that time period. Use this chart to identify spikes in your capacity down to the 15 minute level.

  • Search Capacity Used (GB) by Query Type. Displays a bar chart of the capacity used over the last 24 hours, time sliced every 15 minutes, and  broken down by the type of query used and compared to the capacity baseline. This can help you visually identify the query or queries responsible for the capacity spike.

  • Monitoring Your Usage. Informational that displays information on how to modify panels to see a longer-term display on your capacity use.

  • Scan, Retrieved vs Capacity. Displays a bar chart of the capacity used over the last 24 hours and time sliced every 15 minutes. It breaks down how much data was scanned and how much was retrieved. Your actual capacity is provided as a baseline.