Skip to main content
Sumo Logic

save

Using the Save operator allows you to save the results of a query into the Sumo Logic file system. Later, you can use the lookup operator to access the saved data. The Save operator saves data in a simple format to a location you choose.

Syntax:

  • ...| save myFolder/mySubFolder/newDailyUsers

Rules:

  • The file size limit for saved data is 500MB.
  • Queries that use the Save operator cannot be pinned.

Example

Let's say you want to save data about new user accounts created each day. Your Save operator could look like:

| parse "name=*," as name
| parse "action=*," as action
| parse "date=*," as date
| where action="sign-up"
| first(date) as date, first(action) as action by name
| save myFolder/mySubFolder/newDailyUsers

The above search would create a file that looks like this:

Name Action Date
John sign-up 2012-08-20
Bill sign-up 2012-08-21
Bob sign-up 2012-08-21

You can access data in the saved table using the lookup operator.

Aggregate results can also be saved with the save operator.

Use the Fields operator to remove unnecessary fields

When creating a save file, make sure that the file is as small as possible to work more quickly. A good way to do this is to remove unnecessary fields using the Fields operator or aggregation.

Saving files to a shared location

A file generated by a save operator can be saved to an org-level shared folder. This allows for others in your organization to use your search results when running their lookup queries.

Note that files saved to a shared location can only be modified by the person who originally shared the file.

To save a file to a shared location:

  • Include the following at the end of your query:

...save /shared/myFolder/mySubFolder/fileName

In the path, the word "shared" can be any combination of cases.

For more information, see the section Using Lookup to Access Saved Data in Lookup operator.

Appending to saved files

Once you've created a file generated by a save operator, you can append data at any time. If you're running a scheduled daily search that calculates properties for the current day, that data is appended to the existing file containing results from the previous days. Data you append to a file must match exactly; if the new results don't match the previous results an error message appears, including cases where you attempt to append with additional fields.

If you don't use "append" the previously saved data will be overwritten.

Let's say that you'd like to append your newDailyUsers file each day by scheduling this search to run every 24 hours:

| parse "name=*," as name 
| parse "action=*," as action 
| parse "date=*," as date 
| where action="sign-up" 
| first(date) as date, first(action) as action by name 
| save append myFolder/mySubFolder/newDailyUsers

Each day the query runs the above data is appended to the newDailyUsers file.

You can also append data to a saved file from different queries. For example, say we have two sources, "bill" that includes billing information, and "config" that contains account information, and we'd like to be able to search for some values from each source. These searches would create a table with information from both sources:

_source=bill | parse "user_id=*," as name
| parse "user_email=*," as email
| save myFolder/mySubFolder/NameEmailMapping

_source=config | parse "_user=[*]" as name
| parse "contact_info=[*]" as email
| save append myFolder/mySubFolder/NameEmailMapping