Skip to main content
Sumo Logic

Create a Processing Rule

You can add a processing rule to an existing source or create a processing rule when you configure a new source.

  1. To create a processing rule for an existing source, go to Manage Data > Collection > Collection (Manage > Collection in the classic UI) and click Edit next to a source. Click the menu next to Processing Rules, near the bottom of the page and then click Add Rule.

    To create a processing rule for a source that you're configuring, click the menu next to Processing Rules for Logs, and then click Add Rule.

    Add processing rule

  2. The Processing Rule for Logs dialog is displayed. 

    Add Processing Rule
     
  3. Type a Name for this rule. (Names have a maximum of 32 characters.)
  4. For Filter, type a regular expression that defines the messages you want to filter. The rule must match the whole message.
    • For multi-line log messages, to get the lines before and after the line containing your text, wrap the segment with (?s).* such as: (?s).*matching text(?s).*
  5. Choose the Type of processing rule you'd like to create:
  • Exclude messages that match. Remove messages that you don't want to send to Sumo Logic at all (think of it as a "black list" filter). These messages are skipped after reaching the Source and are not uploaded to Sumo Logic.
  • Include messages that match. Send only the data you'd like in your Sumo Logic account (a "white list" filter). This type of filter can be very useful when the list of log data you want to send to Sumo Logic is easier to filter than setting up exclude filters for all of the types of messages you'd like to exclude, for example, if you only want to include only messages coming from a firewall.
  • Hash messages that match. Replace an message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it's fully hidden.
  • Mask messages that match. Replace an expression with a mask string that you can customize—another option to protect data, such as passwords, that you wouldn't normally track.
  • Forward messages that match. Send data from a installed collector source to a selected non-Sumo location. This option is only available if you have configured a data forwarding destination. For more information, see Forward Data from an Installed Collector. 
  1. Click Apply.

    rule-action.png
  1. Click Save.

    rule-action.png