Skip to main content

Run a Search Against a Partition

Running a search against the data in a partition is almost exactly the same as running any other query. The difference you'll notice is the speed at which results are returned, especially if you're searching over a large amount of data.

Search a partition from a log search tab

To search a particular partition, specify the _index metadata field with the name of the partition in the keyword search expression (also called the scope) of your query. For example, if your partition is named Compliant, you would add this to the scope of your query: _index=Compliant.

note

You can only use _index in the keyword search expression that scopes the search, in other words, before the first pipe (|) in the search.

Search the default partition

Data that you ingest that is not directed to a partition will go to the default partition, named sumologic_default. The default partition is the first partition listed on the Partitions page. To run a search against the default partition, include this in the scope of your search:

_index=sumologic_default

Index aliasing

With index aliasing, you can use an alias to point to one or more system indexes such as sumologic_default in the source expression of your search query. Both the operator part and results of your query will consist of actual index names.

In addition to sumologic_default, we have several other Sumo Logic-defined system indexes. As a shortcut, rather than prefacing sumologic_ when referencing system indexes in a search, you can alias these indexes by typing an underscore at the beginning. For example, sumologic_default and _default will return the same results. 

Leading Underscore Reserved for System Index Alias in User-Created Indexes

When creating your own indexes (user-created, non-system indexes), you cannot lead with an underscore (_). This is reserved only for system indexes.

If your search query scans both your own indexes and Sumo Logic indexes starting with an underscore (_), you'll only see your own indexes in the results. System indexes would be ignored, and you'd see a warning stating: System indexes with alias names have been excluded from the results of the query.

Using index aliases

Here are some examples where index aliasing is used in wildcard queries.

_index=*volume* This query will reference all types of indexes (system indexes as well as user-created).

_index=_vol*. This query will reference indexes such as sumologic_volume.

_index=_*. This will show all Sumo Logic-defined system indexes would show in search results.

Run a search against a partition from the Partitions page

  1. Go to Manage Data > Logs > Partitions.
  2. Do one of the following:
    • Click the Search Icon to the right of the partition name. This launches a search on just the data indexed in the partition.
      icon
    • Select a partition from the table and click the Search Icon to the right of the routing expression. This launches a search that runs the expression against the partition, as well as any other logs that match the query. This means that you can capture search results on all data, not just the data indexed in the partition.
      edit-partition-pane-search-icon

Searching partitions

  • If you have the Data Tiers feature, see Searching Data Tiers for information about how to search partitions by Data Tier.

  • If you have the Flex feature, see Searching Flex for information about how to search partitions.

Why did I get a message to run a search against a partition?

After starting a search that would return faster results if the query were run against a partition, you’ll see a message appear under the search bar that includes a link to the recommended, optimized search.

When the link opens the optimized search in a new search tab, run the search by pressing the Enter/Return key or by clicking Start on the Search page. By default, the optimized search uses the same time range as your original search.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.