Skip to main content
Sumo Logic

Run LogCompare

You can run a LogCompare operation using a timeshift that is preconfigured, or create a custom timeshift for your search. When you click the LogCompare button, the default is a 24 hour timeshift.

Run a Preconfigured LogCompare

  1. Enter a keyword to search for and press enter or select Start. For example: 
    error
  2. Select a time range for your search. For this example, we’ve used Last Minute.
  3. When the Messages tab displays with the initial results, click LogCompare to run the query immediately, or use the menu to select a different time shift.
  4. The logcompare operator and timeshift -24h are added to your query, for example: 

    error | logcompare timeshift -24h
     
  5. Results appear in the Signatures tab.

Run a Custom LogCompare

  1. Enter a keyword to search for and press enter or select Start. For example: 

    _sourceCategory=stream
     
  2. Select a time range. For this example, we’ve used Last Minute.
  3. When the Messages tab displays with the initial results, click the arrow next to the LogCompare button, and from the menu select Custom.
    logcompare_custom.png
  4. In the Custom LogCompare dialog, you can edit:
  • Baseline Query. The original query.
  • Time Shift. This is the Time Shift of the Baseline Query, and it controls when the Baseline Query runs. If the Time Shift is -2d, that means that it will run for the exact Time Range duration (1 minute, in this query), but two days in the past.

 

  • Target Query. Originally, the Target Query is the same as the Baseline Query. But you can edit it to compare against a new target. Here we’ve added 
    _sourceCategory=analysis to compare it to_sourceCategory=stream.
  • Time Range. The Time Range pertains to both the Target Query and the Baseline Query. You can enter a preconfigured, relative, or absolute time range, similar to the time range on the Search page. The Time Range can be specified by timeshift (start_time = now - timeshift) or (start_time + end_time).
    • For the target, if the end_time is not specified, it is implicitly set to now if not specified.
    • For the baseline, if the end_time is not specified, it is implicitly set as: (end_time = start_time + range_length.) The (range_length = end_time - start_time) using the target times.
  1. Click Run.
  2. The logcompare operator, timeshift, and baseline are added to your query, for example: 

    _sourceCategory=analysis | logcompare timeshift -2d baseline (_sourceCategory=stream)
     
  3. Results appear in the Signatures tab.