Infrequent Tier Support for Scheduled Searches
This Beta is now closed.
Previously, scheduled searches were only supported in Sumo Logic’s Continuous data tier. Now, you can also schedule searches that run against the Infrequent tier.
This means you can now include data from the Infrequent Tier in the scope of the scheduled search.
For example, you can use
_dataTier=Infrequent in your query scope:
_dataTier=Infrequent _sourceCategory=appA "error"
Or, you can select data in the Infrequent tier by specifying the Partition that contains it, like this:
_index=some_infrequent_index OR _index=some_continuous_index
Note that if you choose Save to Index as the Alert Type for a Scheduled Search, if any of the data that is scanned for the search is in the Infrequent tier, the index will be saved to the Infrequent Tier.
- You can’t save a scheduled search that returns data from the Infrequent tier to a partition in the Continuous tier.
- A scheduled search against the Infrequent tier cannot have a run frequency of “real time”.
Infrequent Scheduled Search Dashboard
Sumo Logic provides a dashboard you can use to monitor the Infrequent tier space consumed by saved Scheduled Searches.
The dashboard presents the following information for the currently selected time range:
- Total Data Scanned. The volume of data scanned for scheduled searches.
- Average Data Scanned. The average volume of data scanned per scheduled search.
- Total Scheduled Searches Run. The number of scheduled searches run.
- Overall User Count. The number of users that ran scheduled searches.
- Data Scanned by Users. The volume of data scanned by each user that ran scheduled searches.
- Data Scanned by Query. The volume of data scanned for each scheduled search that was run.
- Trend - Data Scanned by Users. A timeline that shows when each user ran a scheduled search and the volume of data scanned for each.
- Trend - Data Scanned by Query. A timeline that shows when each scheduled search was run, and the volume of data scanned for each.
- Scheduled Search by Status. A breakdown by status—Finished, Cancelled, or Failed—of the schedule searches that were run.
- Top 10 Failed Scheduled Search Queries. The queries are ordered by most recent failed date.
You can download the JSON for the dashboard here. For information about importing dashboards and other content see Import Content in the Library.