Skip to main content
Sumo Logic

Metrics Data Volume Index

Sumo Logic populates the Metrics Data Volume Index with a set of JSON-formatted  messages every five minutes. The messages contain the volume of metric data points your account is ingesting. 

You can query the index to:

  • Get the total metric data volume (data points) ingested by collector, source, source name, source category, or source host, including metrics generated by a logs-to-metrics rule.  
  • Get the total metric data volume for metrics generated by a logs-to-metrics rule.

Message format

Each JSON message contains the parent object for each source data point, and child objects that detail the data points for each parent.

For example, a single message for  collector volume data may look similar to the following, where collector_N is the name of a collector.  The data points values are the aggregated volume for a five minute time period.

{
    "collector_a":{"dataPoints":733296},
    "collector_b":{"dataPoints":4380031},
    "collector_c":{"dataPoints":386255},
    "collector_d":{"dataPoints":10823082},
    .
    .
}

Querying the Metrics Data Volume index

When you query the index, the query scope must include the following:

_index=sumologic_volume _sourceCategory=<index_source_category>

Where index_source_category is one of the categories listed in the table below.

Index Log Type Index Source Category Description
Collector collector_metrics_volume Use this source category to query metric volume by collector.

Results will include all ingested metrics, including those generated by logs-to-metrics rules. 
Source source_metrics_volume Use this source category to query metric volume by source.

Results will include all ingested metrics, including those generated by logs-to-metrics rules. 
SourceName sourcename_metrics_volume Use this source category to query metric volume by source name. 

Results will include all ingested metrics, including those generated by logs-to-metrics rules. 
SourceCategory sourcecategory_metrics_volume Use this source category to query metric volume by source category.

Results will include all ingested metrics, including those generated by logs-to-metrics rules. 
SourceHost sourcehost_metrics_volume Use this source category to query metric volume by source host. 

Results will include all ingested metrics, including those generated by logs-to-metrics rules. 
Logs-to-Metrics  logstometricsrulename_metrics_volume Use this source category to query metric volume by logs-to-metrics rule. 

Results will include only those ingested metrics that were generated by logs-to-metrics rules.

Metric volume query examples

Metric volume by source category

This query returns the metric volume by source category.

_index=sumologic_volume _sourceCategory=sourcecategory_metrics_volume
| parse regex "\"(?<sourcecategory>(?:[^\"]+)|(?:\"\"))\"\:\{\"dataPoints\"\:(?<dp>\d+)\}" multi
| sum(dp) as dp by sourcecategory

It returns results like these:

dp-by-category.png

Metric volume by collector

This query returns the metric volume by collector.

_index=sumologic_volume _sourceCategory=collector_metrics_volume
| parse regex "\"(?<collector>(?:[^\"]+)|(?:\"\"))\"\:\{\"dataPoints\"\:(?<dp>\d+)\}" multi
| sum(dp) as dp by collector

It returns results like these:

dp-by-collector.png

Metric volume for a specific collector

This query returns the metric volume for a specific Collector. 

_index=sumologic_volume _sourceCategory=collector_metrics_volume
| json "your-collect-name" as collector_json |
json field=collector_json "dataPoints" as dp
| sum(dp) as dp
| fields dp

Substitute the name of your collector for your-collect-name.

Data points per minute (DPM) by logs-to-metrics rule

This query returns the DPM resulting from each of your logs-to-metrics rules.

_index=sumologic_volume datapoints _sourceCategory="logstometricsrulename_metrics_volume"
| parse regex "\"(?<logstometricsrulename>[^\"]+)\"\:\{\"dataPoints\"\:(?<datapoints>\d+)\}" multi
| sum(datapoints) as datapoints by logstometricsrulename
| ((queryEndTime() - queryStartTime())/(1000*60)) as duration_in_min
| datapoints / duration_in_min as %"DPM" 
| fields logstometricsrulename,DPM
| sort by DPM

It returns results like these:

dpm-by-l2m-rule.png