Skip to main content
Sumo Logic

Search Syntax Overview

 

The Sumo Logic Search Language operates on your entire log repository, no matter how many different log sources you have—in real time. The search query language is intuitive and efficient, allowing you to search terabytes of data and see results in seconds.

Query Syntax

The basis of Sumo Logic Search is a funnel or "pipeline" concept: beginning from all of your current Sumo Logic data, you enter keywords and operators separated by pipes ("|"). Each operator acts on the results from the previous operator to further process your results. Results are returned incrementally with the most recent messages displaying first. Additional messages are added progressively to the Messages tab as the search walks backward in time through all of your log data.

The syntax for a typical search query looks something like this:

keyword expression | operator 1 | operator 2 | operator 3

Keyword Expression: For simplicity, we refer to the first term in a search query as a "keyword" expression. In fact, this portion of the query is a very powerful full-text, Boolean search expression. The keyword expression also encompasses metadata searches for fields such as _sourceCategory, _sourceHost. For more on full-text search in queries, see Keyword Search Expressions.

Operators: After filtering with an initial full-text search, the operators that follow can extract strings, parse known message components into fields, refine results using conditional expressions, and then group, count, or sort results. In addition, the summarize operator can be used to reveal patterns in a set of logs by automatically grouping messages with similar structures and common repeated text strings into clusters.

Pipe "|" Delimiter

The pipe delimiter is used to separate the keyword expression and each subsequent operator. Each pipe-delimited operator further processes search results from the preceding operator. You can string some operators in a series within a single pipe (like parse and where), but if you are not sure of the syntax, always add the pipe.

Syntax:

  • Follow keyword search expression with a pipe "|"
  • Precede each operator with a pipe "|"

Example:

User-Created Fields

You can parse or extract values and assign a user-created (aliased) field name to the result. The field is valid only for the current search, and does not carry over to new searches. When creating aliased fields, there are a few rules that apply:

  • Field names can contain alphanumeric characters, hyphens, and underscores, but should always start and end with an alphanumeric character. Sumo Logic fields always begin with an underscore, such as _sourceCategory, _sourceHost, or _count_distinct. Here are two examples of queries that generate a user-created field called src_IP:
    • *| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
    • _sourceCategory=apache | parse "* " as src_IP
  • Multiple fields can be extracted and named within a single query. For example, the query below creates fields "type" and "user":
    • _sourcehost=vpn3000 | parse "Group  [*] User [*]" as (type, user) | count type | sort by _count
  • Aggregating functions also automatically generate a field. Using the count operator creates a field called _count. The sum operator creates a field called _sum. The max operator creates a field called _max, and so forth.
  • User-created fields should not be named with reserved words such as the names of Sumo Logic operators like group or sum.

For information on parsing fields, see Parse field