Searching Data Tiers

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Learn how to search specific Data Tiers.

This page has information about how to search different Data Tiers, and when you should use _dataTier, a search modifier that restricts your search to a single tier.

About the _dataTier search modifier

In Sumo Logic, a search modifier is a tag that gives the Sumo Logic backend information about how to process a query. The _dataTier modifier tells Sumo Logic which Data Tier a query should run against: Continuous, Frequent, or Infrequent.

When you include the _dataTier modifier in a query, the query will run against only the tier you specify. If you do not specify one or more partitions in the query, using _index, the query will run against all partitions in the tier you specified with _dataTier.

You don’t have to specify a Data Tier when you run a query. If you don’t include _dataTier, how we run the search depends on whether or not you specify one or more partitions using _index.

If you don’t specify a partition using _index (you only specify keywords and metadata) the search runs against the Continuous tier.
If you specify multiple partitions, Sumo Logic infers the Data Tier for each partition from the partition names. If the specified partitions are in different Data Tiers, Sumo Logic presents an error message. Sumo Logic does not currently support querying data across multiple tiers within the same search query.

Even though you don't have to use _dataTier when you are querying selected partitions, it is a good practice, as it makes it clear from looking at the query what tier it runs agains.

Examples

Example query	How query is processed
`_dataTier=Infrequent error`	Searches all the partitions in the Infrequent tier for messages that contain the string “error”.
`_index=<InfreqPart> error` (Where `InfreqPart` is a partition in the Infrequent tier.)	Searches the partition named “InfreqPart” in the Infrequent tier for messages that contain the string “error”.
`_index=<InfreqPart1> or _index=<InfreqPart2> error` (Where `InfreqPart1` and `InfreqPart2` are partitions in the Infrequent tier.)	Searches the partitions named “InfreqPart1” and “InfreqPart2” in the Infrequent tier for messages that contain the string “error”.
`_index=<InfreqPart1> or _index=<FreqPart2> error` (Where `InfreqPart1` and `FreqPart2` are partitions in the Infrequent and Frequent tiers respectively.)	Search gives you an error, since the two partitions are from different data tiers
`_sourceCategory=apache error`	Searches the Continuous tier for messages that contain the string “error”.

_dataTier limitations

The _dataTier search modifier is not supported in:

Live mode dashboards
Role search filters
Real time alerts
Partition routing expressions
Logs-to-Metrics rules

In addition, because _dataTier is a reserved name in Sumo Logic, so you can’t assign it to a Field or in a parse expression for a Field Extraction Rule.

_dataTier and scheduled views and audit indexes

When you query scheduled views, the Sumo Logic Audit Index, or the Sumo Logic Audit Event Index, it isn’t necessary to specify a tier with _dataTier. Search these indexes using _index. By default, Sumo will run such queries against the Continuous tier.

If you use _dataTier to specify a tier other than Continuous in a query of scheduled views or either of the audit indexes, Sumo Logic presents an error message.