This topic has information about how to search the Sumo Logic platform for Records that have been forwarded from CSE. For more information about performing log searches in Sumo Logic, see Search Basics.
Sumo Logic partitions that contain CSE Records
In CSE, normalized Records are categorized by Record type, for example Audit, Authentication, Network, NetworkDHCP, and so on.
In Sumo Logic, Records are stored in partitions, which are indexes that enable better search performance. The table below shows which partition each Record type is stored in. Note that some partition contain multiple Record types.
|CSE Record type||Sumo Logic partition|
There is a separate partition for forwarded raw messages for which Records were not created, because no log mapper was available.
|CSE Record Type||Sumo Logic partition|
Search CSE Records from the Partitions page
If you have the View Partitions role capability, you can search CSE partitions from the Partitions page in the Sumo Logic UI.
- Go to Manage Data > Logs > Partitions.
- The partitions that contain CSE Records begin with the string "sec_record".
- To search for all Records in the partition, click the icon that appears next to a Partition name when you hover over a row.
- A log search tab opens with a query, like
_index=PartitionName, that returns all of the Records created within the currently selected time range, 15 minutes by default. For a description of the results, see Search all Records in a partition, below.
Search CSE Records in a log search tab
To search a Sumo Logic partition, you specify the name of the partition using
_index= <index_name>. The sections below provide instructions for scoping a search so that it returns the Records you’re interested in.
Open a log search tab
To open a log search tab in Sumo Logic, click + New and select Log Search.
Search all Records in a partition
To return all the Records in a partition, all you need to include in your query is the partition name. For example, to search all Records in the
sec_record_network partition, choose a time range, enter this query, and click Start:
- The query returns all of the Record types that are stored in the partition: Network, NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, and NetworkProxy
- By default, two Record fields are displayed:
Message. You can display additional fields by checkmarking desired fields in the Hidden Fields area. You can also use the fields operator to specify the fields you want displayed and save the search as described in the following section.
Save a query with predefined display fields
You can use the
fields operator to choose the fields you want to be displayed when you run the search. You can add additional fields to those that are displayed by default.
To add display fields
This query adds the
objectType (which contains the Record type) and the
user_username fields to the displayed output:
_index = sec_record_audit
| fields objectType, user_username
To save a search
To save the query for future use, click Save As below the query, name the query, and then click Save.
Search multiple partitions
You can search multiple partition by using
OR in the query. For example, to search all Records in the
_index = sec_record_audit OR _index = sec_record_network
Search all Record partitions
To search all Records in all of the in partitions that contain CSE Records, use an asterisk (*)wildcard.
_index = sec_record_*
Query by Record type
objectType field in a Record indicates its Record type. To restrict results to a particular Record type, use
_index to identify the partition that contains that Record type, and
objectType to specify the Record type. For example, to search for NetworkHTTP Records in the
_index = sec_record_network objectType=NetworkHTTP
Return a count of Records by Record type
You can use the count operator to aggregate your query results. In the following query, we use the asterisk wildcard to search across all partitions that contain CSE Records, and count the results by
objectType, which contains the Record type. The following query returns the count of Records of each type.
_index = sec_record_*
| count as Total _view, objectType
| order by Total
Search by keyword
The partitions that contain CSE Records don’t have an associated raw message. For this reason, you can’t run a direct keyword search against those Records as you can with other Sumo Logic data sources. You can however, search the
fields field, which contains a JSON object of all Record fields and values. The following trivial example query returns all Records in the
sec_record_authentication partition that contain the string “false”:
| fields fields
When you use wildcards for field values in a query scope, only Records in which those fields are present and not null will be returned. For example, the following query will only return Records if the
srcDevice_ip is present and not null:
_index = sec_record_* srcDevice_ip=*