Skip to main content
Sumo Logic

Construct a Search Filter for a Role

You can construct a log search filter to define access for a role and set limitations based on metadata or at the record level. The filter is a string that isn't visible to the user, but is added to the beginning of each log query the user runs.

As you type a string in the Search Filter box in the New Role dialog box, supported metadata and record options are displayed to help you enter a well-defined string. Any errors in the string are underlined in red.

For example, when creating the Ops Team Role, you might want to prevent Ops Team members from viewing billing information, which comes from a source named analytics. If you type !_source into the Search Filter box, the list of options is displayed. Select an option or continue typing to complete the string.



  • Role filters cannot apply to metrics searches, only log searches.
  • Role strings cannot include vertical pipes:|
  • Scheduled Views or Partitions are not supported in role filters, due to potentially conflicting field names and value types. 

Denying access to data

! is treated as NOT in Sumo Logic queries.


The Ops Team role is defined with !_source=analytics as the search filter. When a user assigned to the Ops Team role runs a search,!_source=analytics AND is silently added to the beginning of the search query.

If a user who does not have the Ops Team role runs the following search:

(error OR fail*) AND exception | count by _sourceCategory | sort by _count

the results are as shown below on the left (the analytics Source category is included). However, if an Ops Team member runs the same search, the results are as shown on the right (without the analytics Source category), because the actual query that is run is as follows:

!_source=analytics AND(error OR fail*) AND exception | count by _sourceCategory | sort by _count

Granting access to data

What if you'd like to limit a role to a specific data set, or if you have a Collector that should only be accessed by certain users? Instead of denying access, you can grant access to a data set by typing the object into the Search Filter text box.

Example:  To create a role for a team that needs to monitor firewall logs that are received by a specific Collector, add the search filter _collector=firewall*to the role. This prepends_collector=firewall* AND to each query run by users who have that role.

Defining access based on metadata

You can restrict access to the following metadata fields:






For example, let's say that our admin wants to create a role that prevents access to hosts humanresourcesfinance, and secret. Use the following search filter.

!_sourceHost=humanresources* and !_sourceName=*finance* and !_sourceCategory=*secret*

If a user with the above role runs a query like:

error | count by _sourceHost

the following query is what Sumo Logic actually runs:

error and (!_sourceHost=humanresources* AND !_sourceName=*finance* AND !_sourceCategory=*secret*) | count by _sourceHost

The results will exclude all results that were described by the role's restriction.

For more information on Sumo Logic metadata fields, see Metadata Searches.

Defining access based on records

You can create roles based on removing access to specific values in log messages. For example, let's say you'd like to create a role for a subset of users that should never see data that contain userid, or anything that matches secret*.

In this case, constructing a role using this string:

!userid and !secret*

means that if a user with the above role runs a query like:

error | count by _sourceHost

the following query is what Sumo Logic actually runs:

error AND (!userid AND !secret*) | count by _sourceHost