Skip to main content
Sumo Logic

LogReduce with Group-By

The LogReduce operator can act as an aggregate operator, supporting grouping by _timeslice as well as by other dimensions, such as
_sourcehost. 

For example, by including timeslice, you can determine how signature counts change over a period of time. 

Syntax 

…. | timeslice 1m  | logreduce by _timeslice 
 
…. | logreduce by _sourcehost

Optional Parameters

  • limit  Limits the number of signatures returned. The total number of signatures involved in a search query can be overwhelming, making final results hard to digest and comprehend. Use this parameter to limit the number of returned signatures.
  • criteria  By default, Sumo tries to find the most anomalous signatures. Use this parameter to override the default criteria.
    • mostcommon  Signatures that appear most frequently, having the highest counts.
    • leastcommon Signatures that appear least frequently, having the lowest counts.

Example queries

_sourceCategory=MyApp | timeslice 1m | logreduce by _timeslice limit=5,criteria=mostcommon | transpose row _timeslice column signature
 
_sourceCategory=MyApp | logreduce by _sourceHost limit=5,criteria=mostcommon | transpose row _sourcehost column signature