Skip to main content
Sumo Logic

Add a new AWS Service to the AWS Observability Explore Hierarchy

Learn how to add a new dashboard to the Hierarchy.

Background

The AWS Observability view in Explore provides a unified view of your AWS Services within Sumo Logic from multiple AWS accounts.

The AWS Observability view shows a hierarchy across AWS accounts, regions, namespaces, and entities to present an intuitive navigation flow.

By default, the AWS Observability view supports the following services: AWS EC2, AWS API Gateway, AWS Lambda, AWS RDS, AWS DynamoDB, and AWS Application ELB. The purpose of this document is to guide you towards adding any dashboards you may have built for additional services to the AWS Observability hierarchy.

Prerequisites

Before you can add dashboards for a new service to the AWS Observability hierarchy: 

  1. The AWS Observability solution must have already been installed for at least one supported service
  2. You need to collect metrics for your service via a Sumo Logic AWS Cloudwatch metrics source for an AWS account that is already being monitored by the AWS Observability solution. We recommend creating a new AWS CloudWatch metrics source for the service you want to monitor as opposed to using an existing source for performance reasons.
  3. You need to create at least one Sumo Logic dashboard based on CloudWatch metrics and log data to monitor the operations of the AWS Service in question.

Add a new service to the AWS Observability View

As dashboards can be created based on both logs and metrics data, in this section, we identify how to add dashboards based on both data types to the AWS Observability Explore views.

1.Enrich Metrics Data

The following are a list of steps for adding metrics-based dashboards to the hierarchy:

  1. Add the account field as a metadata tag to the AWS CloudWatch metrics source 
  2. Validate the  namespace and region metadata tags 
  3. Add the entity field as a metadata tag
  4. Validate that the hierarchy 

2. Enrich Log Data

The following is a list of required steps for ensuring log data appears as expected in the hierarchy:

  1. Add the account field as a metadata tag.
  2. Add namespace and region as a metadata tag.
  3. Validate that entity field log data.
  4. Improve the queries to include variables in log queries.

3. Modify dashboards 

The following is a list of requires steps to modify the dashboards:

  1. Apply Stack Linking.
  2. Add variables to the dashboards and improve queries to include variables.
  3. Add template variables.

Step1. Enrich Metrics Data 

Add the account field as a metadata tag to the AWS CloudWatch metrics source

The Account field is already a part of CloudWatch metrics sources that were configured as part of the AWS Observability Solution’s CloudFormation template. Therefore the Account metadata field needs to be added to the CloudWatch metrics source using Fields configuration.

This can be done by following the steps below:

  1. Log in to your Go to Sumo Logic account
  2. In the AWS Observability solution, identify the account alias for the AWS account you have configured that is running the service you want to monitor
  3. Edit the CloudWatch Metrics source for the AWS service you wish to add to the AWS Observability solution
  4. Add Account field as by adding a field as shown in the screenshot below:
    Step1.png
  5. To confirm if the account tag is indeed added as metadata, go to your Sumo Logic AWS Cloudwatch Metric source and check the metrics data.
    Step1.1.png

Validate the namespace and region metadata tags 

The namespace and region tags are generally present in AWS CloudWatch metrics when collecting metrics using the Sumo Logic AWS CloudWatch metrics source. 

For the desired AWS Service, go to your Sumo Logic AWS Cloudwatch Metric source and check the metric data.

  1. Go to Sumo Logic account
  2. Open a metrics tab and run a query to get metrics data for the AWS Service you wish to add to AWS Observability
  3. Check the data in the Legend tab and ensure namespace and region metadata tags are present. If these are not present, you will not be able to add this service to the AWS Observability solution.Step2.png

Add the entity field as a metadata tags

An entity metadata field represents an instance of the AWS service like table name, load balancer name, database instanceId, database clusterId, API name, function name etc,. To add an entity we have to create a metric rule that will create an entity tag for each metric of the new AWS service you want to add to the AWS Observability solution.
To do so:

  1. Login to your Sumo Logic account.
  2. Go To Manage Data > settings
  3. Select Metric Rules tab.
  4. Add a new Metric Rule as below
    Metric match expression Variable Name Tag Sequence
    Namespace=<Namespace of the AWS service> <Resource Key Name>=* entity $<Resource Key Name>._1
  5. For eg, If you want to add SQS, you need to add below details

    Metric match expression Variable Name Tag Sequence
    Namespace=AWS/SQS QueueName=* entity $QueueName._1
  6. Once you enter the above details, you can see the entity metadata tag in the preview result as shown below:
    Step3.png

Once you are done with the above steps, the AWS service will be added to the AWS Observability view hierarchy. To validate this:

  1. Go To Explorer in your Sumo Logic account.
  2. Select AWS Observability from the drop-down.
  3. You should be able to see the new service in the hierarchy represented by namespace/entity.
    Step4.png

Step 2. Enrich Log Data

Add account field to log data

Logs from AWS services are collected into Sumo Logic via Amazon S3, AWS Elastic Load Balancing, Amazon Cloudfront, AWS Cloudtrail, Amazon S3 Audit, or HTTP Log source (Cloudwatch logs). You can add metadata fields to sources using Fields configuration. 

Add account field by adding fields to your log source as shown below:

Step8.png

Add the  namespace and region metadata tags to log data

There are two ways in which namespace and region can be added to logs metadata.

  1. If a source is collecting logs for a specific AWS Service like in case of ALB, VPC, S3 Audit, you can namespace and region directly to source fields as shown below:
    Step9.png

  2. If a source is collecting logs for multiple AWS services like in the case of CloudTrail, Field Extraction Rule should be created to add metadata sources. The example below shows how you would create a Field Extraction Rule for SQS:

Scope Parse Expression
(_sourceCategory=aws/observability/cloudtrail/logs "eventSource":"sqs.amazonaws.com") or (_sourceCategory=aws/observability/cloudtrail/logs "eventSource":"apigateway.amazonaws.com") | json "eventSource", "awsRegion" as eventSource, region | where eventSource in ("sqs.amazonaws.com", "apigateway.amazonaws.com") | if (eventSource matches "sqs.amazonaws.com", "aws/sqs", if (eventSource matches "apigateway.amazonaws.com", "aws/apigateway", "")) as Namespace

Validate the entity field is part of log data

The Entity is the AWS Service key that was provided in the Metric rule created in Step 1. Check if your logs contain that key.

For Example, In case of SQS, CloudTrail logs contain queuename in logs. That can be used as an entity in the queries. 

Step10.png

Step 3. Modify Dashboards

Add Stack Linking to Dashboards

To add any dashboard to the hierarchy, perform the below steps:

  1. Go to your dashboard in the Sumo Logic account. 
  2. Select Create Stack Linking as per the below screenshot.
    Step5.png
  3. In the pop-up, add the fields shown below to make it part of AWS Observability in the hierarchy.
    Key  Value
    account *
    region *
    namespace <namespace of aws service> 
    Example for SQS Service provide value as
    aws/sqs
    entity *

Consider the example of an SQS dashboard:  

  1. Add dashboard at the namespace level.

    • Add account, region, namespace in stack linking.
      Step5.1.png

    • Go to AWS Observability view to look at the dashboard on namespace level.
      Step5.2.png
  2. Add dashboard at the entity level.
    • Add account, region, namespace, and entity in stack linking.
      Step5.3.png
    • Go to AWS Observability view to look at the dashboard on the entity level.
      Step5.4.png

Add Template Variables (Optional)

You can add template variables to dashboards to better filter your data in the AWS Observability view.

Follow the steps to add variables to the dashboards :

  1. Go to the dashboard.
  2. Click + button near the ”Create a template variable” text.
    Step6.png
  3. Add a template variable as shown below:
    Step6.1.png

Improve Queries to include variables in log queries

Write log queries to include variables so data can be filtered in the Explore view. See the Sumo Logic help doc for details on how to use template variables in log queries

For example:

_sourceCategory=Labs/AWS/DynamoDB account={{account}} namespace={{namespace}} "\"eventSource\":\"sqs.amazonaws.com\""

| json "eventName", "awsRegion", "requestParameters.tableName", "sourceIPAddress", "userIdentity.userName" as event_name, Region, entity, src_ip, user

| where Region matches "{{region}}" and tolowercase(entity) matches "{{entity}}"

| count by event_name

Add_temaplate.png

Refer to this document for further details on how to use filters with template variables.

Improve queries to include variables (Optional)

You can add the created template variable to queries to better filter the data. Please see this document help doc for details

You can add a variable to your queries by using

<key name> = {{variable name}}

For example:

namespace=aws/sqs metric=NumberOfMessagesSent account={{account}} | avg by QueueName

We recommend you aggregate the data on the entity key rather than AWS Service key name. In the example below for SQS, we replace QueueName by the entity. 

For example:

namespace=aws/sqs metric=NumberOfMessagesSent account={{account}} | avg by QueueName entity