Search for Log Data
In Part 1 of the tutorial you learned how to view data that’s been shared by someone in your organization or already included in a Sumo logic app. In this part, we’ll show you how to use the Search page to search for, parse, and aggregate log data, and save the results.
Create a query
From Part 1 of the tutorial you know that you have access to Apache Access data. Let’s search for log messages within that source category that include the keyword GET.
- If the Search page isn’t already open, click on the top tab bar, and select Log Search.
- In the query area, enter:
_sourceCategory=Apache/Access and GET
Keep in mind that keywords are case insensitive. You can also select keywords from the auto-complete menu that appears as you type.
- You can select a pre-configured time range from the drop-down menu, enter a relative time range such as -1d to -12h, or enter an absolute time range, such as 3/08/2017 11:00 AM to 3/08/2017 11:00 PM. For our purposes, let's select Last 60 Minutes from the drop-down menu.
- Click Start to execute the search and display results. In the Messages tab, notice that the keyword GET is highlighted, and the number of pages found is displayed.
Parse the messages
Parsing makes search results much easier to scan and interpret. Let’s parse the log messages for the information that follows the GET and build a new query. We’ll parse for URL, status code, size, and referrer. (Your first search result may not be exactly the same, but that's OK.)
- In the first result message, select GET and everything after that, including the URL, the status code, the size, and the referrer. From the menu that appears, select Parse the selected text. The Parse Text dialog opens. This is where you can select text to be parsed and replaced by fields. The fields are added to the search box to build your search query.
- Highlight the URL and select Click to extract this value.
- In the Fields box, enter URL and a comma to separate the values.
- Next, highlight the status code 304 and select Click to extract this value.
- In the Fields box, add status_code and a comma. Following best practices for naming, use an underscore to connect the words to name the field.
- Next, highlight the file size and select Click to extract this value.
- In the Fields box, enter size and a comma.
- Finally, highlight the referring URL, but not the quotation marks that surround it. Select Click to extract this value.
- In the Fields box, add referrer, and click Submit.
The parsing information has been added to our query. You could have typed into the search box yourself, but using the Parse Text dialog is an easy way to build a query without having to remember the syntax. So now our query is:
_sourceCategory=Apache/Access and GET
| parse "\"GET * HTTP/1.1\" * * \"*\" " as url,status_code,size,referrer
- Click Start to run the query.
- In the Messages pane, notice that the fields that you parsed are now extracted from the raw messages: referrer, size, status_code, and URL. The Message text is still available as well.
Save the search
Before going any further, let’s save the search so you can easily return to it later.
- Click Save As.
- Enter a name for your search. We entered Apache Status Codes. The description is optional. Notice that the query and time range are filled in automatically. You can change either of them when saving the search if you want to.
- By default, the saved search is added to your Personal folder. You can select one of the subfolders that’s listed, or click + to add a new subfolder.
- Click Save to save your search and add it to the library. Notice that the name is also shown on the top tab bar.
Pat yourself on back! You’ve completed these tasks in Part 2 of the Quick Start user tutorial:
Created a search query.
Parsed the message so they’re easier to scan and interpret.
Saved your search.
Now on to Part 3 of the tutorial, where we’ll add to your query, chart some results, and create a dashboard.