The glossary provides definitions for technical terms used in Sumo Logic.
- Absolute expressions
Used in time range expressions, when setting the specific time limits of a search. For example, 04/01, 04/01/14 20:32:00 to 04/01/14 20:35:00, or 04/01/2014 04/02/2014.
A group of data returned by a search, displayed in a simple table in the Aggregates tab of the Search page.
- Amazon S3 Audit Source
Amazon Simple Storage Service (Amazon S3) provides secure and scalable object storage. Sumo Logic's Amazon S3 Audit Source allows data stored in an Amazon S3 bucket to be uploaded into Sumo Logic from a Hosted Collector.
- Anomaly Detection
The Anomaly Detection feature of Sumo Logic uses machine learning and logic to detect abnormalities in your environment while examining logs as they are ingested into Sumo Logic. Once Anomaly Detection has sufficient knowledge about the baseline behavior of your logs, abnormal deviations from the baseline are detected, then displayed in the Anomalies page of the Sumo Logic Web Application as Events, which is an indicator that Anomaly Detection has noticed activity that warrants additional attention. Anomaly Detection is available only to customers with Enterprise accounts.
Sumo Logic Apps (short for applications) deliver out-of-the box Dashboards, reports, saved searches, and field extraction for popular data Sources, such as AWS, Windows, Apache, and many more. When a customer installs an app in Sumo Logic, preconfigured searches and Dashboards are customized with the customer's Source configurations and populated in a folder. Customers then can monitor their system's behavior visually using the Dashboards.
On the Search page of the Sumo Logic user interface, the search autocomplete drop-down dialog offers suggestions to make query writing easier. Suggestions include simple logic that offer common default queries, keywords, metadata terms, and search operators. The autocomplete dialog also includes links to Help topics for more information.
The Sumo Logic Cloud is a secure, scalable repository for all of your operations, security, compliance, development, and other log data. The Sumo Logic Cloud stores, indexes, parses, and analyzes data, and provides unlimited horsepower with elastic scalability.
Sumo Logic Collectors are lightweight applications that allow you to connect your environment to Sumo Logic in order to collect message data. There are two types of Collectors. Installed Collectors are configured on machines in your deployment for Sources such as Local File, Remote File, Syslog, Local Windows Event Logs, Remote Windows Event Logs, and Script. Hosted Collectors require no installation, and are used to configure with Amazon S3 Sources or HTTP Sources.
Dashboards contain a collection of real time Panels that provide a graphical representation of your organization's data. Panels are created by running search queries. From the resulting data in the Search page's Aggregates tab, you can display that data using different types of charts. Once Panels are created, they are saved to a Dashboard.
- Dashboard Theme
In Dashboards, you can toggle the background color scheme from Light to Dark.
- Data Forwarding
When enabled, the Data Forwarding feature allows Sumo Logic to upload data to an Amazon S3 bucket that belongs to your organization. Log messages are saved as CSV files in compressed gzip files. They are accumulated and returned right after being ingested by Sumo Logic.
- Data Panel
Formerly Monitors. Panels provide a graphical representation of your organization's data. Data Panels are created by running search queries. From the resulting data in the Search page's Aggregates tab, you can display that data using different types of charts. Once Panels are created, they are saved to a Dashboard. See also, Text Panel.
- Data Type
A Data Type is a specific type of log used with a Sumo Logic Source or App, such as Apache, MySQL, or Windows IIS. You can also use a custom Data Type for a custom application.
- Data Volume Index
The Data Volume Index automatically provides data that allows you to understand your account’s data ingest volume in bytes and number of log messages processed overall. The Data Volume Index gives you better visibility into how much data you are sending to Sumo Logic, allowing you to proactively manage your systems’ behavior and to fine tune your data ingest with respect to the data plan for your Sumo Logic subscription.
Sumo Logic has several pods that are assigned depending on the geographic location and the date an account is created. Sumo Logic redirects you browser to the correct log in URL, and also redirects Collectors to the correct endpoint. However, if you're using an API you'll need to manually direct the API to the correct API; API calls are not redirected to another endpoint.
- Exclude rule
Exclude rules are used to remove messages that you don't want to send to Sumo Logic at all (think of it as a "black list" filter). These expressions will be skipped.
The Favorites tab displays searches and Dashboards that you refer to frequently, or content that you want to keep handy. In the Library, on the Personal and Org tabs, you can "favorite" content to make it appear on the Favorites tab. Just click the star icon for your saved search, Dashboard, installed app, or folder, and it will be saved to the Favorites tab for easy access. You can also favorite saved searches from the Search page, and favorite Dashboards from the Dashboards page.
- Field Extraction
Field Extraction allows you to set up rules that parse out fields as log messages are ingested. This means that instead of running a query to parse out fields, that work is done automatically—when it's time to run a search the fields are parsed and ready to return results. Instead of typing parse commands over and over again, you'll just search against a rule and fields are almost immediately returned.
- Geo lookup
Sumo Logic can match an extracted IP address to it's geographical location on a map. To create the map, after parsing the IP addresses from log files, the lookup operator matches extracted IP addresses to the physical location where the addresses originated. Finally, geolocation fields are used by the Google Maps API to add the IPs to a map.
Group-by functions include count, count_distinct, sum, avg, stddev, max, min, last, and first. You can use "group" or "by" instead of "group by", so "count (*) group by user" is equivalent to "count by user". All group-by functions create a corresponding field preceded by an underscore, for example, _count.
- Hash rules
Hash rules replace a message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it's fully hidden.
- Hosted Collectors
Hosted Collectors don't require installation or activation, nor do Hosted Collectors have physical requirements, since they're hosted in
- HTTP Source
An endpoint for receiving a file (or a batch of files) uploaded via a unique URL generated for the Source. The URL securely encodes the Collector and Source information. You can add as many HTTP Sources as you'd like to a single Hosted Collector.
- If operator
A ternary operator used to evaluate a condition as either true or false, with values assigned for each outcome. It is a shorthand way to express an if-else condition.
- Include rule
Include rules are used to send only the data you'd like in your Sumo Logic account (a "whitelist" filter). This type of filter can be very useful when the list of log data you want to send to Sumo Logic is easier to filter than setting up exclude filters for all of the types of messages you'd like to exclude.
- Installed Collector
Installed Collectors are deployed in your environment, either on a local machine, a machine in your organization, or even an Amazon Machine Image (AMI). Installed Collectors require a software download and installation. Upgrades to Collector software are released regularly by Sumo Logic.
The Library provides a central location for shared and saved content in your Sumo Logic account, as well as content shared by others in your organization. In addition to shared and saved searches, Dashboards can be saved and shared in the Library. (The Sumo Logic Library was formerly called the Content Library. Now it is just the Library.)
- Limit operator
Use the Limit operator to reduce the number of messages or aggregated results returned.
- Local File Source
To collect log messages from the same machine where a Collector is installed, create a Local File Source.
- Local Windows Event Log Source
Collects local events you would normally see in the Windows Event Viewer.
- Local Windows Performance Monitor Log Source
Collects performance data you would normally see in the Windows Performance Monitor.
LogCompare allows you to compare a section of your log messages from one point in time with the same section at another point in time, and display the changes in patterns.
When you've already run a search query with non-aggregate results, you can use the LogReduce button in the Messages tab to automatically apply the Summarize operator to the current results.
Used in Dashboards, you can add Text Panels to include titles or text descriptions. Use Markdown syntax to add bold or italic formatting, bullet lists, code font, and other formatting. See Help for details.
- Mask rule
Mask rules replace an expression with a mask string that you can customize—another option to protect data, such as passwords, that you wouldn't normally track.
- Messages tab
When you run a search query, messages display in the Message tab in the lower half of the browser window of the Search page.
(Obsolete.) Dashboard Monitors are now called Panels.
Log messages that span multiple lines are called multiline messages.
Formerly Monitors. Real-time Panels provide a graphical representation of your organization's data. Data Panels are created by running search queries. From the resulting data in the Search page's Aggregates tab, you can display that data using different types of charts. Once Panels are created, they are saved to a Dashboard.
- Parse operator
The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions. Parse options include "parse anchor" or "parse regex" for using regular expressions to form more complex parse queries. It is acceptable to use "parse" for "parse anchor", or "extract" for "parse regex".
Sumo Logic allows you to filter a subset of the messages in an Index into a Partition. Partitioning messages in an Index improves search query performance, as the total number of messages that need to be searched is reduced. Once messages are routed to a Partition, you can limit your search to those messages using the Partition name in a search query.
- Pinned searches
The Pinned Search feature allows you to start a search, then “pin” it, so it will continue running in the background independent of the browser session. Then, you can close the Search tab or log out and find your results later in the Library on the Recent tab in a folder named Pinned Searches.
Sumo Logic supports Role-Based Access Control (RBAC) to allow Administrators to customize system access. With RBAC, Administrators create roles for groups of users who perform various job functions. Users are not assigned permissions directly, but inherit permissions through roles (or even through a single role). Role assignments can grant users permissions to access some data sets, or can restrict users from accessing types of data.
- Relative expressions
Used in time range expressions, when setting the non-absolute time limits of a search. For example, -1d, -1d -12h, -12h -60m.
- Remote File Source
Supported using SSH (Secure Shell), for remote file collections, you can install the Sumo Logic Collector on a network host that has network connectivity to all the remote hosts from which you wish to collect logs.
- Remote Windows Events Log Source
Collects the unique formats of Windows Events using the Windows Management Instrumentation (WMI) interface.
- Remote Windows Performance Monitor Log Source
Collects the unique formats of Windows Performance Monitor using the Windows Management Instrumentation (WMI) interface.
Sumo Logic supports self-provisioning of Security Assertion Markup Language (SAML) to enable Single Sign-On (SSO). In addition to basic SAML configuration, you can choose optional on-demand user creation (via SAML 2.0 assertions), and designate custom log in and/or log out portals.
- Scheduled View
A Scheduled View is a pre-aggregated index of a subset of data. After building a Scheduled View, you'll be able to run queries against that data set. Because the data is pre-aggregated, meaning that query you'll use to create a Scheduled View contains an aggregate function, search results return much quicker. Additionally, queries run against a Scheduled View cannot time out. Queries that run against Views can be used in scheduled searches, Dashboards, and in ad hoc searches.
- Script Source
If you need to collect data that isn't stored in log files (like system performance metrics, database records, or perhaps data output from third-party monitoring solutions) you can use a Script Source that uses a script to fetch those custom sources of data. The script executes at defined intervals and then sends the data to Sumo Logic for analysis.
- Search Autocomplete
- Service Whitelist Settings
Service Whitelist Settings allow you to explicitly grant access to specific IP addresses and/or CIDR notations.
- Single Value Chart
A Single Value chart is useful for displaying the results of a query that returns only a single value or record, in order to make that value stand out at a glance. If the query returns more than one value in the Aggregation tab, only the first value is displayed in the Single Value chart.
- Sort operator
The Sort operator orders aggregate search results.
Sources are the environments that Sumo Logic Collectors connect to to collect data from a customer's site.
- Summarize operator
Summarize is now called the LogReduce operator.
- Support Account
Administrators can decide to enable a Sumo Logic support account, which grants very select Sumo Logicsupport agents access to your organization's account, better helping those agents to resolve issues that arise. Admins can choose to keep the Support Account enabled full-time, or the account can be disabled when no issues are being investigating.
- Syslog Source
Operates like a syslog server listening on the designated port to receive syslog messages.
- Text Panels
Used in Dashboards, you can add Text Panels to include titles or text descriptions. See also Markdown.
- Timeslice operator
Timeslice segregates search results by fixed time period, or by any number of buckets over a time range.
- Transactionize operator
The transactionize operator groups logs that match on any fields you specify. Unlike other group by operators, where the logs in a group must match on all defined fields, transactionize just needs one field to match in order to assign logs to the same group.
- Use Receipt Time
This option, a check box under the Time Range field on the Search page, displays search results in reverse order of their receipt time, giving you the ability to view the difference in timestamp and receipt time to pinpoint Sources that may be generating incorrect timestamps.
- Web Application
The Sumo Logic product is officially called the Sumo Logic Web Application. The Sumo Logic Web Application allows customers to view and analyze your log data in the cloud, and provides access from anywhere since it is fully browser based.
- Where operator
A conditional operator that can precede or follow another operator. Example combinations include "where x matches y", "where x in (a, b, c)", "where x not in (a, b, c)" and "where a > 1 and b / 4 < sqrt(x)".