Skip to main content
Sumo Logic

Metric Volume Queries

Queries for monitoring metric ingestion and throttling.

This page provides queries that are useful for monitoring your metric ingestion. You can use the queries as is, without modification.

Query for metric throttling events

This query searches the Audit Index for messages that indicate that metric ingestion has been throttled. Metric throttling occurs when you exceed your DPM burst limit. For more information, see Metric Throttling.  

_index=sumologic_audit _sourceCategory=account_management _sourceName=VOLUME_QUOTA "Resource type: MetricIngest"

Suggested search time range: Last one hour (-1h)

Suggested frequency for scheduling: Every one hour

Query for metric ingestion outliers 

This query runs against the metrics volume index and uses the outlier operator to find timeslices in which your metric ingestion in DPM was greater than the running average by a statistically significant amount. 

_index=sumologic_volume _sourceCategory=sourcecategory_metrics_volume
| parse regex "\"(?<sourcecategory>(?:[^\"]+)|(?:\"\"))\"\:\{\"dataPoints\"\:(?<dp>\d+)\}" multi
| timeslice 15m
| sum(dp) as dp by _timeslice
| outlier dp window=5,threshold=3,consecutive=1,direction=+
| where dp_violation > 1

Suggested search time range: Last 3.5 hours (-210m)

Suggested frequency for scheduling: Every one hour

Sustained DPM above plan limit query

This query runs against the metrics volume index and checks for 15 minute periods during which your metric ingestion in DPM was continuously over your account DPM limit.

_index=sumologic_volume _sourceCategory=sourcecategory_metrics_volume
| parse regex "\"(?<sourcecategory>(?:[^\"]+)|(?:\"\"))\"\:\{\"dataPoints\"\:(?<dp>\d+)\}" multi
| timeslice 15m
| sum(dp) as dp by _timeslice
| compare with timeshift 15m 8 min
//dpm limit = 3000000 * 15 minutes (size of timeslice bucket)
| 300000 * 15 as dp_limit
| where (dp > dp_limit and dp_120m_min > dp_limit)

Suggested search timeframe: Last 15 minutes (-15m)

Suggested frequency for scheduling: Every 15 minutes

Predict DPM exceeding account limit

This query runs against the metrics volume index and uses the predict operator to predict when in the future your metric ingestion in DPM is likely to exceed the current DPM limit for your account.   

_index=sumologic_volume _sourceCategory=sourcecategory_metrics_volume
| parse regex "\"(?<sourcecategory>(?:[^\"]+)|(?:\"\"))\"\:\{\"dataPoints\"\:(?<dp>\d+)\}" multi
| timeslice 15m
| sum(dp) as dp by _timeslice
| predict dp by 15m model=ar, ar.window=1
//dpm limit = 3000000 * 15 minutes (size of timeslice bucket)
| 300000 * 15 as dp_limit
| where dp_predicted > dp_limit

Suggested search time range: Last 24 hours (-24h)

Suggested frequency for scheduling: Every one hour

Source categories not collecting metrics

This query returns a list of metric source categories for which no metrics were ingested in the last 60 minutes.

_index=sumologic_volume _sourceCategory=sourcecategory_metrics_volume
| parse regex "\"(?<sourcecategory>(?:[^\"]+)|(?:\"\"))\"\:\{\"dataPoints\"\:(?<dp>\d+)\}" multi
| first(_messagetime) as MostRecent, sum(dp) as TotalDataPoints by sourcecategory
| formatDate(fromMillis(MostRecent),"yyyy/MM/dd HH:mm:ss") as MostRecentTime 
| toMillis(now()) as currentTime
| formatDate(fromMillis(currentTime),"yyyy/MM/dd HH:mm:ss") as SearchTime
| (currentTime-MostRecent) / 1000 / 60 as mins_since_last_datapoint
| where mins_since_last_datapoint >= 60
| fields -mostrecent, currenttime 
| format ("%s Has not collected data in the past 60 minutes", sourcecategory) as message

For example:

no-dpmpng.png

Suggested search time range: Last one hour (-1h) (/ Last 24 hours?)

Suggested frequency for scheduling: Every one hour