To create a Partition in an Index, you will create a routing expression, which is a kind of query. A Partition routing expression can take anything in a regular search query up to the first pipe—in other words, the search constraints. Partitions must be named alphanumerically, with no special characters. The query can include wildcards, but it cannot include any parsing or search operators.
Create Partitions for use cases that are not too general. The idea is to use Partitions in an Index to restrict your search for security and in order to improve search performance. If you create a Partition for a very general use case, it would still work, you just wouldn’t benefit as much from increased performance.
When designing Partitions, keep the following in mind:
- Avoid using queries that are subject to change. In order to benefit from using Partitions, they should be used for long-term message organization.
- Make the query as specific as possible. Making the query specific reduces the amount of data in the Partition, which increases search performance.
- Keep the query flexible. Use a flexible query, such as
sourceCategory=*Apache*, so that metadata can be adjusted without breaking the query.
- Group data together that is most often used together. For example, create Partitions for categories such as web data, security data, or errors.
- Group data together that is used by teams. Partitions are an excellent way to organize messages by role and teams within your organization.
- Avoid including too much data in your Partition. Aim to send 2% to 20% of your data to a Partition. Including 90% of the data in your index in a Partition won’t improve search performance.
Don’t create overlapping partitions. With multiple Partitions, messages could be duplicated if you create routing expressions that overlap. For example, if you have the following partitions, messages for
_sourceCategory=prod/Apachewould be duplicated as they would be stored in both partitions.
Create a Partition
- In the Sumo Logic, go to Manage > Partitions.
- Click the Add button.
- In the Create a Partition dialog box, enter the following:
- Index Name. Enter a name that you'll use to search the data in a query. It's important to use a name that is descriptive and easy to remember. Names can be comprised of alphanumeric characters; underscores( _ ) are the only special characters allowed.
- Routing Expression. Enter the routing query for the Partition, which consists, generally, of the Source Category of the data you'd like indexed in the Partition. The routing query can include wildcards, but it cannot use any parsing or search operators. Also, empty strings are not supported.
- Click Create.
The new Partition is added to the list and begins to index data as soon as you create it. Allow a few hours for the indexing to complete. If you've chosen to index a large amount of data, it could take a bit longer.