The LogReduce operator can act as an aggregate operator, supporting grouping by
_timeslice as well as by other dimensions, such as
For example, by including
timeslice, you can determine how signature counts change over a period of time.
…. | timeslice 1m | logreduce by _timeslice
…. | logreduce by _sourcehost
limitLimits the number of signatures returned. The total number of signatures involved in a search query can be overwhelming, making final results hard to digest and comprehend. Use this parameter to limit the number of returned signatures.
criteriaBy default, Sumo tries to find the most anomalous signatures. Use this parameter to override the default criteria.
mostcommonSignatures that appear most frequently, having the highest counts.
leastcommonSignatures that appear least frequently, having the lowest counts.
_sourceCategory=MyApp | timeslice 1m | logreduce by _timeslice limit=5,criteria=mostcommon | transpose row _timeslice column signature
_sourceCategory=MyApp | logreduce by _sourceHost limit=5,criteria=mostcommon | transpose row _sourcehost column signature