Skip to main content
Sumo Logic

Part 2: Search for Log Data

Learn how to use the Search page to search for, parse, and aggregate log data, and save the results.

Search for Log Data

In Part 1 of the tutorial you learned how to view data that’s been shared by someone in your organization or already included in a Sumo logic app. In this part, we’ll show you how to use the Search page to search for, parse, and aggregate log data, and save the results.

Create a query

From Part 1 of the tutorial you know that you have access to Apache Access data. Let’s search for log messages within that source category that include the keyword GET.

  1. If the Search page isn’t already open, click  on the top tab bar, and select Log Search.
  2. In the query area, enter:

    _sourceCategory=Labs/Apache/Access and GET

    Keep in mind that keywords are not case sensitive. 
  3. You can select a pre-configured time range from the drop-down menu, enter a relative time range such as -1d to -12h, or enter an absolute time range, such as 3/08/2017 11:00 AM to 3/08/2017 11:00 PM. For our purposes, let's select Last 60 Minutes from the drop-down menu.

    60MinuteTimeRange
  4. Click Start to execute the search and display results. In the Messages tab, notice that the keyword GET is highlighted, and the number of pages found is displayed.

    GET

Parse the messages

Parsing makes search results much easier to scan and interpret. Let’s parse the log messages for the information that follows the GET and build a new query. We’ll parse for URL, status code, size, and referrer. (Your first search result may not be exactly the same, but that's OK.)

  1. In the first result message, select GET and everything after that, including the URL, the status code, the size, and the referrer. From the menu that appears, select Parse the selected text. The Parse Text dialog opens. This is where you can select text to be parsed and replaced by fields. The fields are added to the search box to build your search query.
    Parse Selected Text
  2. Highlight the URL and select Click to extract this value.
    Click to Extract Value
  3. In the Fields box, enter URL and a comma to separate the values.
    URL Comma
  4. Next, highlight the status code 200 and select Click to extract this value.
  5. In the Fields box, add status_code and a comma. Following best practices for naming, use an underscore to connect the words to name the field.
  6. Next, highlight the file size and select Click to extract this value.
  7. In the Fields box, enter size and a comma.
    URL StatusCode Size
  8. Finally, highlight the referring URL, but not the quotation marks that surround it. Select Click to extract this value.
  9. In the Fields box, add referrer, and click Submit.
    Referrer
    The parsing information has been added to our query. You could have typed into the search box yourself, but using the Parse Text dialog is an easy way to build a query without having to remember the syntax. So now our query is:
    _sourceCategory=Labs/Apache/Access and GET
    | parse "\"GET * HTTP/1.1\" * * \"*\" " as url,status_code,size,referrer

    Parse Statement
  10. Click Start to run the query.
  11. In the Messages pane, notice that the fields that you parsed are now extracted from the raw messages: referrer, size, status_code, and URL. The Message text is still available as well.
    ParsedOut Messages

Save the search

Before going any further, let’s save the search so you can easily return to it later.

  1. Click Save As.
    ParsedOut Messages Save As
  2. Enter a name for your search. We entered Apache Status Codes. The description is optional. Notice that the query and time range are filled in automatically. You can change either of them when saving the search if you want to.
    Save Search As
  3. By default, the saved search is added to your Personal folder. You can select one of the subfolders that’s listed, or click + to add a new subfolder.
  4. Click Save to save your search and add it to the library. Notice that the name is also shown on the top tab bar.

 

Summary

Pat yourself on back! You’ve completed these tasks in Part 2 of the Quick Start user tutorial:

  1. Created a search query.

  2. Parsed the message so they’re easier to scan and interpret.

  3. Saved your search.

Now on to Part 3 of the tutorial, where we’ll add to your query, chart some results, and create a dashboard.