Skip to main content
Sumo Logic

About Events and Incidents

The colored blocks in a report are referred to as Events. An Event is associated with the query saved as an Anomaly Report. When an anomaly is detected it's saved as an Incident. Think of an Incident as an individual occurrence of an Event.

Sumo Logic captures Incident data, allowing you to easily drill down to a very granular level, giving you the exact time frame of an Incident, so your team can immediately react to any situation.

After an Event has been added to an Anomaly Report, you can drill down into each Incident to understand what triggered it, then tag the severity of the Incident or Event to help Anomaly Detection learn which behaviors are expected, which behaviors are unimportant, and behaviors that mean trouble.

anomaly_detection_event_incident_new.png

  1. Event.
  2. Incident. Each Incident is one occurrence of the Event associated with the Anomaly Report.

Why are Events shown in different colors?

Anomaly Detection uses four different colors so you can tell each Event type apart. You can see the number of each event type in the Summary Report:

anomaly_color_scheme_new.png

 

Color Description
Blue Unknown/unranked Event. The first time Anomaly Detection encounters an Event, it’s tagged with blue. Seeing a blue Event is a signal that the Event needs to be investigated, named, and ranked.
Red High severity.
Yellow Medium severity.
Green Low severity.

Events that you've tagged as Unimportant are displayed as gray.