The algorithm used for the logreduce operator uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided. LogReduce data is based on the data available to the algorithm during the time range of your search.
In some cases, this data sampling produces results that don't meet the needs of your organization. You can influence the algorithm by editing a signature to make the results more general, or see more granular results by splitting a signature. In addition you can promote or demote a signature to help Sumo Logic understand what data is the most relevant to you.
The following icons allow you to change the results of a LogReduce report:
|Promote a signature to the top position of the Signatures tab.|
|Demote a signature to move it to the bottom of the last page of the Signatures tab.|
|Split a signature into multiple signature.|
|Edit a signature.|
|Undo the last action or step back through the history of changes.|
|Redo the last action. Repeat to redo the history of undos.|
Promoting or Demoting a LogReduce Signature
Relevance is one factor in LogReduce, but it is a global factor. Members of your org can promote and demote signatures related to your Search.
To influence the relevance of signatures, select the Signatures tab and:
- Promote a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.
- Demote a signature by clicking the Thumbs-Down icon for a signature to indicate that this signature is not relevant to you.
If you have never promoted or demoted a signature, you will see the global setting for this signature. Once you vote, you will see your promotion or demotion.
Splitting a signature
If you'd like to see more granular results, you can split a signature. When you split a signature, you'll notice that fewer wildcard asterisks will appear; instead specific values are included in the signatures. Even though the data is more specific, the results after splitting a signature will still be fuzzy because the LogReduce algorithm bases results only on the window of time you've run the search against.
After you split a signature, the position of the signatures may move (one may even move to another page of results). Each line is still highlighted in yellow so you can easily identify them.
For example, you've selected a signature to split. The hostId shouldn't be generic; by splitting the signature you should get more specific results.
After splitting, you'll see that each signature has specific data:
Split a signature
Click the Split icon next to the signature you'd like to split.