Skip to main content

Partitions

Creating a partition enhances search performance by narrowing down the search scope to a smaller subset of messages. Use the Partitions page to set up and manage partitions. To access the Partitions page, go to Manage Data > Logs > Partitions.

A partition stores your data in an index separate from the rest of your account's data so you can optimize searchesmanage variable retention, and specify certain data to forward to S3.

note

Data stored in a partition is not stored anywhere else. 

About Partitions

Partitions route your data to an index becoming a separate subset of data in your account. Creating smaller and separate subsets of data is central to search optimization. When you run a search against an index, results are returned more quickly and efficiently because the search runs against a smaller data set.

After routing messages to a partition, you can reference it in your search by using the field _index with the partition's name. See Optimizing Search with Partitions for details.

Partitions ingest your messages in real time. They differ from scheduled views in that partitions don’t backfill with aggregate data. They begin building a non-aggregate index from the time the partition is created and index only the data moving forward. Scheduled views backfill with aggregate data, meaning that all data that extends back to the start date of the view query is added to the view.

You define the data that will reside in a partition by defining a routing expression, which is similar to a log query, but with certain restrictions in terms of the operators you can include. Each partition's routing expression is applied to all messages as they are ingested to Sumo Logic. If a message matches the partition’s routing expression, it is added to the partition.

Micro Lesson: Partitions Basics

Limitations 

  • There is a limit of 50 partitions per account. (This excludes decommissioned partitions.)
  • Partitions cannot be deleted, although you can decommission them. This is because a partition may include log messages that aren’t stored anywhere else, so if it’s deleted, messages will be lost. If you no longer need a partition, you can decommission it.
  • Partition names cannot start with sumologic_ or an underscore _.
  • Partition routing rule length cannot exceed 2048 characters.

Guides

In this section, we'll introduce the following concepts:

icon

Search a Partition

Learn how to run a search against data in a Partition.

icon

Edit Data Forwarding Destinations for a Partition

Learn how to specify Data Forwarding settings for a Partition.

icon

Manage Indexes with Variable Rentention

Learn how to create Index Partitions and Scheduled Views to store your data.

icon

Decommission a Partition

Learn how to decommission a Partition to keep it from being started.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.